Lighthouse Certificate Management

Lighthouse uses X.509 certificates for node authentication to the Lighthouse VPN and REST API. By default, certificates are issued by the internal Lighthouse certificate authority as part of the node enrollment process, and are automatically renewed by Lighthouse before expiry, however you can configure certificates for issue by an external certificate authority instead.

Node certificates are revoked by Lighthouse when a node is unenrolled, or for internal certificates, when the certificate has been replaced (after the replacement certificate has been used to successfully connect to the Lighthouse VPN). The replacement certificates are pushed from Lighthouse to connected nodes. Revoked certificates cannot be used to authenticate to the Lighthouse VPN or REST API.

Lighthouse can support an:

internal certificate authority. Lighthouse manages internal certificates automatically, and no action is required by the customer.

external certificate authority (CA). This feature is available via the command line interface (CLI) and allows you to:

Configure an external CA using the Simple Certificate Enrollment Protocol (SCEP).
Enroll an Opengear device (node) or secondary instance using a certificate issued by the external CA.
Revoke a node or secondary certificate using the Online Certificate Status Protocol (OCSP). This causes them to be unenrolled from Lighthouse.

Notes: It is:

Strongly recommended to use a separate CA for each Lighthouse deployment.
Important to note that the renewal workflow is only supported by internal certificates.

The following table outlines some important differences between and considerations for internal and external CAs.

Certificate Authority Description

Internal

Certificate Authority	Description
Internal	The Lighthouse CA can be revoked after it has been renewed when all nodes have been notified of the change. Remediate or unenroll any disconnected nodes to complete this operation. If a node is disconnected from Lighthouse for an extended period of time, it may not be possible to push the updated certificate to the node. Lighthouse will retry the push job regularly until the node's existing certificate has expired, at which point the node will have to be manually re-enrolled. Precautions If an old Lighthouse configuration backup is restored to Lighthouse, the node certificate details in the backup may no longer match those on the nodes themselves, in which case the nodes will fail to connect to Lighthouse. Ensure that configuration backups of Lighthouse are kept up to date. Similarly, if a node has its configuration restored from an old backup, its certificate may no longer match the one expected in Lighthouse. In these cases, it will be necessary to unenroll and re-enroll the node. To avoid these situations, ensure configuration backups of nodes are kept up to date. Note: There is a limitation on Operations Manger (OM) and Console Manger CM8XXX nodes where a Lighthouse VPN connection configuration is not retained in the node backup. The Lighthouse VPN certificate and client certificates validity periods should be no greater than the CA certificate used to issue them. The existing certificate validity periods can be seen by running the show sub-command and the pre-configured defaults by using the `--defaults` option. Lighthouse automatically processes scheduled certificate updates daily at 1 AM Lighthouse system time. Under normal circumstances there is no requirement to manually run `cert_manage run`.
External	The following limitations apply when you configure an external CA: The external CA must be configured on a fresh Lighthouse instance with no Opengear devices or Secondary Instances enrolled. Lighthouse only supports a single external CA. The certificate authority configuration can be updated, but only for the originally configured CA. After an external CA is configured, Lighthouse is unable to revert to its internal certificate authority. To return to an internal certificate authority, a factory reset is required. Certificate renewals are not supported. It is recommended that you set the certificate validity for a long period of time. We strongly recommend that you configure external CAs as a multi-tier hierarchy, with a long-lived root CA certificate (10+ years validity), and an intermediate CA certificate that issues the certificates for use by Lighthouse. This allows replacement of the intermediate CA certificate as required without disrupting the normal operation of Lighthouse and nodes. Lighthouse does not support rollover of root CA certificates. It is recommended to turn off manual approval of certificates to avoid the possibility of nodes becoming stuck during enrollment.
External	External Certificate Revocation Every four hours, Lighthouse performs a status check to query the external CA using OCSP to determine the status of all active certificates. If the OCSP certificate status is Revoked, LH unenrolls the client, logs this information, and marks the certificate as revoked. If there is a security requirement to immediately revoke a certificate in Lighthouse, without the status check, you can unenroll the affected client. Consider the following: Revoking an Opengear device or secondary certificate results in the Opengear device or secondary being unenrolled from Lighthouse. This is logged in the certificate manager logs. If a user unenrolls a node/secondary, Lighthouse revokes the certificate internally, but you must manually revoke the corresponding certificate on the external CA. For revocation to happen, the certificates must contain the correct OCSP responder details. Lighthouse currently supports only OCSP for revocation.

The Lighthouse CA can be revoked after it has been renewed when all nodes have been notified of the change. Remediate or unenroll any disconnected nodes to complete this operation.
If a node is disconnected from Lighthouse for an extended period of time, it may not be possible to push the updated certificate to the node. Lighthouse will retry the push job regularly until the node's existing certificate has expired, at which point the node will have to be manually re-enrolled.

Precautions

If an old Lighthouse configuration backup is restored to Lighthouse, the node certificate details in the backup may no longer match those on the nodes themselves, in which case the nodes will fail to connect to Lighthouse. Ensure that configuration backups of Lighthouse are kept up to date. Similarly, if a node has its configuration restored from an old backup, its certificate may no longer match the one expected in Lighthouse. In these cases, it will be necessary to unenroll and re-enroll the node. To avoid these situations, ensure configuration backups of nodes are kept up to date.

Note: There is a limitation on Operations Manger (OM) and Console Manger CM8XXX nodes where a Lighthouse VPN connection configuration is not retained in the node backup.

The Lighthouse VPN certificate and client certificates validity periods should be no greater than the CA certificate used to issue them. The existing certificate validity periods can be seen by running the show sub-command and the pre-configured defaults by using the --defaults option.
Lighthouse automatically processes scheduled certificate updates daily at 1 AM Lighthouse system time. Under normal circumstances there is no requirement to manually run cert_manage run.

External

The following limitations apply when you configure an external CA:

The external CA must be configured on a fresh Lighthouse instance with no Opengear devices or Secondary Instances enrolled.
Lighthouse only supports a single external CA. The certificate authority configuration can be updated, but only for the originally configured CA.
After an external CA is configured, Lighthouse is unable to revert to its internal certificate authority. To return to an internal certificate authority, a factory reset is required.
Certificate renewals are not supported. It is recommended that you set the certificate validity for a long period of time.
We strongly recommend that you configure external CAs as a multi-tier hierarchy, with a long-lived root CA certificate (10+ years validity), and an intermediate CA certificate that issues the certificates for use by Lighthouse. This allows replacement of the intermediate CA certificate as required without disrupting the normal operation of Lighthouse and nodes.
Lighthouse does not support rollover of root CA certificates.
It is recommended to turn off manual approval of certificates to avoid the possibility of nodes becoming stuck during enrollment.

External

External Certificate Revocation

Every four hours, Lighthouse performs a status check to query the external CA using OCSP to determine the status of all active certificates. If the OCSP certificate status is Revoked, LH unenrolls the client, logs this information, and marks the certificate as revoked. If there is a security requirement to immediately revoke a certificate in Lighthouse, without the status check, you can unenroll the affected client.

Consider the following:

Revoking an Opengear device or secondary certificate results in the Opengear device or secondary being unenrolled from Lighthouse. This is logged in the certificate manager logs.
If a user unenrolls a node/secondary, Lighthouse revokes the certificate internally, but you must manually revoke the corresponding certificate on the external CA.
For revocation to happen, the certificates must contain the correct OCSP responder details.
Lighthouse currently supports only OCSP for revocation.

Configuration

The cert_manage command can be used to control various aspects of certificate management in Lighthouse. The default settings are recommended, and should only be changed with caution.

Only users with sudo access on the primary Lighthouse CLI (for example, via the admin group) can configure certificate management.

For more information, see cert_manage.

Note: All functionality is available only via the Lighthouse CLI. There is no UI or REST API interface for the certificate management feature. The Jobs page on the Lighthouse UI shows node certificate update jobs.

Scheduling

Internal certificate renewal jobs are scheduled using cron to run at 1 AM (Lighthouse system time), every day. An administrator may choose to update the frequency of the cron job under /etc/cron.d/rotate_certificates.cron.

For external certificates, Lighthouse performs a status check every four hours to query the external CA using OCSP to get a list of revoked certicates. Lighthouse then revokes those certificates and unenrolls those nodes or secondary instances.

Log File

The certificate management logs can be found in /var/log/cert_manager.log.