Network Integration Guide › Decoding SSL Communications › How to Set up SSL Decode › Manage the Root Certificates

Manage the Root Certificates

The NBA holds a set of well-known root certificate authority certificates that permit the NBA to validate connections to target websites. However, certificate authorities sometimes withdraw certificates and issue new ones, so you must keep the set of root certificates up to date on the NBA appliance. You may need to add or remove certificates from this set and if any public certificates are revoked, you must add them to the NBA’s revocation list.

Status information for all the certificate files is recorded in two log files on the NBA:

• sslcertstatus.txt records the status of certificates being used by the NBA's SSL decoder.
• console_sslcertstatus.txt records the status of certificates listed in the NBA console.

There are two methods for updating the certificate lists.

To manage root certificates using the NBA console

1. Log in to the NBA console and go to the SSL tab.
2. Click the Root Certificates option.
3. You can add, remove or download trusted root certificates and revoked root certificates. Do one of the following:

   Add new certificates.

   Click Import to add new certificates.

   Then browse to the file containing the certificates that you want the SSL decoder to use. A certificate file can contain multiple certificates.

   Finally, click Import to add the selected file.

   Remove one or more certificates.

   Click Delete.

   Then hold the Ctrl key down while selecting one or more certificates to remove.

   Finally, click Delete to remove the selected certificates.

   Download a certificate file

   Click Export to download a file containing all certificates in the list.

   You can import this file onto another NBA to keep the certificate sets identical on multiple NBA appliances.

   Reset the certificate list

   Click Reset to remove all current certificates and replace them with the certificates delivered on installation.

To manage root certificates using FTP

1. Using FTP, browse to the NBA /config/rootcerts folder.
2. Add, remove, or copy the certificate files to maintain the set.
3. To make the NBA use the modified set of certificates in this folder:
   1. Log on to the NBA console using SSH.
   2. Prepare the NBA command environment with this command:

      . /usr/local/share/nba/nbarc
      

      Note: Do not omit the space between the period and the first slash.

   3. Change into the NBA executable directory:

      cd /home/nba/bin
      

   4. Update the NBA SSL Decode configuration with this command:

      ./nbacmd SSL_UPDATE
      

   5. The following output confirms successful operation:

      2010/11/26 15:55:32.653788 nbaSendEvent: Event system connected
      2010/11/26 15:55:37.679308 CMD: SSL certificate regeneration completed.
      OK