Troubleshooting Certificate Issues

When you install a new, externally-signed SSL certificate on KeyControl, KeyControl automatically updates the CA certificate on all registered VMs at their next heartbeat.

If any of the VMs are unreachable for 4 consecutive heartbeats, KeyControl considers the update request to have timed out for those VMs. It sends one alert for each inaccessible VM to the Cloud Admins associated with that VM and then continues with the SSL certificate installation process.

The next time one of the inaccessible VMs boots, it may be unable to retrieve the proper keys from KeyControl because the old CA certificate the VM is using cannot verify the new KeyControl SSL certificate. The VM will then reject any communication from KeyControl until it has the correct CA certificate installed and can once again verify KeyControl's identity.

If there are encrypted data drives on the VM, KeyControl will not attach those drives when the VM reboots. If the boot partition is encrypted on the VM, the VM will fail to boot. At this point you need to manually update the CA certificate on the VM in order to restore the communication between the VM and KeyControl.

For more information, see:

• Manually Updating the CA Certificate on a Data Encrypted VM. After you update the CA certificate, the VM can retrieve the keys from KeyControl and the encrypted drives will be automatically reattached.
• Manually Updating the CA Certificate on a Windows Boot Drive Encrypted VM.
• Manually Updating the CA Certificate on a Linux Root Drive Encrypted VM.