VM Cert Renewal

Identity Security Cloud (ISC) ISC Discussion and Questions
, ,
1

So basically, we have an IDN setup, and we use IDN for password renewal.

For IDN, we have two VM clusters, for which we received a certificate alert stating that the certificate is going to expire on January 4, 2026.

Whenever users try to reset their password in IDN, we have a Web Services connector application configured with the IIQ workflow API. When users reset their password, this IDN-configured application calls a workflow in IIQ, and that workflow updates the password in Active Directory.

This is the purpose of IDN in our environment. Basically, it is an integration between IDN and IIQ, and we are using a Virtual Appliance (VA) for this integration.

Now, since the certificate is about to expire, we are looking for the steps to renew the certificate.

Does just replacing the certificate in location Sailpoint/Home/Certificate works?

2

You need to perform the following steps as per document & based on your scenario

TLS Configuration on Virtual Appliances

Scenario#1

Replace an Expired Certificate Issued by an External Certificate Authority

++++++++++++++++++++++++++++++++++++++++++++++++++
Complete the following steps:

  1. Add the new certificate on the source with a new name.
  2. Restart the CCG using the following command:sudo systemctl restart ccg

Note
The source’s certificate is auto-imported to the VA.
++++++++++++++++++++++++++++++++++++++++++++++++++

Scenario#2

Replace an Expired Certificate Issued by an Internal Certificate Authority

===============================================
If you’re using an internal CA, you need to add the new certificate on both the source and the VA with a new name.

Complete the following steps:

  1. Add the new certificate on the source with a new name.
  2. Import certificate and entire key chain (Root and Intermediate Certificates) to VA as described in Import a Certificate and Keychain to the Virtual Appliance.
  3. Restart the CCG using the following command:sudo systemctl restart ccg
  4. Test the connection.

===============================================

2 Likes
3

Hi Ravi,

Sharing my experience of renewal here:-

Link to refer - Managing Virtual Appliances - SailPoint Identity Services

certificate renewal:-

  1. Generate root and key cert using openssl command(if required).

  2. Generate CSR

  3. Get the new certificate based on the CSR.

  4. Move key and CSR to cert folder along with the certificate provided by system of your organization like Venafi/PKI.

  5. Take a backup of new certificate and move it to temp/backup folder.

  6. sudo reboot the machine and test connection.

Hope this helps.