Lighthouse Certificate Management

Lighthouse uses X.509 certificates for node authentication to the Lighthouse VPN and REST API. Certificates are issued by the internal Lighthouse certificate authority as part of the node enrollment process, and are automatically renewed by Lighthouse before expiry. The replacement certificates are pushed from Lighthouse to connected nodes.

Lighthouse will manage certificates automatically, and no action needs to be taken by the customer. However, there are some things to be aware of:

  • Node certificates are revoked by Lighthouse when a node is unenrolled, or when the certificate has been replaced (after the replacement certificate has been used to successfully connect to the Lighthouse VPN). Revoked certificates cannot be used to authenticate to the Lighthouse VPN or REST API.

  • The Lighthouse CA can be revoked after it has been renewed once all nodes have been notified of the change. Remediate or unenroll any disconnected nodes to complete this operation.

  • If a node is disconnected from Lighthouse for an extended period of time, it may not be possible to push the updated certificate to the node. Lighthouse will retry the push job regularly until the node's existing certificate has expired, at which point the node will have to be manually re-enrolled.

Precautions

If an old Lighthouse configuration backup is restored to Lighthouse, the node certificate details in the backup may no longer match those on the nodes themselves, in which case the nodes will fail to connect to Lighthouse. Please ensure configuration backups of Lighthouse are kept up to date.

Similarly, if a node has its configuration restored from an old backup, its certificate may no longer match the one expected in Lighthouse. In these cases, it will be necessary to unenroll and re-enroll the node. To avoid these situations, please ensure configuration backups of nodes are kept up to date.

Note: There is a limitation on Operations Manger (OM) and Console Manger CM8XXX nodes where a Lighthouse VPN connection configuration is not retained in the node backup.

The Lighthouse VPN certificate and client certificates validity periods should be no greater than the CA certificate used to issue them. The existing certificate validity periods can be seen by running the show sub-command and the pre-configured defaults by using the --defaults option.

Lighthouse will automatically process scheduled certificate updates daily at 1 AM Lighthouse system time. Under normal circumstances there is no need to run cert_manage run manually.

Configuration

The cert_manage command can be used to control various aspects of certificate management in Lighthouse. The default settings are recommended, and should only be changed with caution.

Only users with sudo access on the primary Lighthouse CLI (for example, via the admin group) can configure certificate management.

Note:   All functionality is available only via the Lighthouse CLI. There is no UI or REST API interface for the certificate management feature. The Jobs page on the Lighthouse UI will show node certificate update jobs.

Scheduling

Certificate renewal jobs are scheduled using cron to run at 1 AM (Lighthouse system time), every day. An administrator may choose to update the frequency of the cron job under /etc/cron.d/rotate_certificates.cron.

Log File

The certificate management logs can be found in /var/log/cert_manager.log.