Lighthouse Certificate Management

Lighthouse uses X.509 certificates for node authentication to the Lighthouse VPN and REST API. By default, certificates are issued by the internal Lighthouse certificate authority as part of the node enrollment process, and are automatically renewed by Lighthouse before expiry, however you can configure Lighthouse to use an external certificate authority instead.

For internal CA's, Lighthouse automatically processes scheduled certificate updates daily at 1 AM Lighthouse system time. Under normal circumstances there is no requirement to manually run cert_manage run.

Lighthouse can support an:

internal certificate authority. Lighthouse manages internal certificates automatically, and no action is required by the customer. This is the default.

external certificate authority (CA). This feature is available via the command line interface (CLI) or the UI and allows you to:

Configure an external CA using the Simple Certificate Enrollment Protocol (SCEP).
Enroll an Opengear device (node) or secondary instance using a certificate issued by the external CA.
Revoke a node or secondary certificate using the Online Certificate Status Protocol (OCSP). This causes them to be unenrolled from Lighthouse.

Note: For an external CA, it is strongly recommended to use a separate CA for each separate Lighthouse deployment that is not a multiple instance setup.

The following table outlines some important differences between and considerations for internal and external CAs.

Certificate Authority Description

Internal

Certificate Authority	Description
Internal	The Lighthouse CA can be revoked after it has been renewed when all nodes have been notified of the change. Remediate or unenroll any disconnected nodes to complete this operation. If a node is disconnected from Lighthouse for an extended period of time, it may not be possible to push the updated certificate to the node. Lighthouse will retry the push job regularly until the node's existing certificate has expired, at which point the node will have to be manually re-enrolled. Precautions If an old Lighthouse configuration backup is restored to Lighthouse, the node certificate details in the backup may no longer match those on the nodes themselves, in which case the nodes will fail to connect to Lighthouse. Ensure that configuration backups of Lighthouse are kept up to date. Similarly, if a node has its configuration restored from an old backup, its certificate may no longer match the one expected in Lighthouse. In these cases, it will be necessary to unenroll and re-enroll the node. To avoid these situations, ensure configuration backups of nodes are kept up to date. Note: There is a limitation on Operations Manager (OM) and Console Manager CM8XXX nodes where a Lighthouse VPN connection configuration is not retained in the node backup. The Lighthouse VPN certificate and client certificates validity periods should be no greater than the CA certificate used to issue them. The existing certificate validity periods can be seen by running the show sub-command and the pre-configured defaults by using the `--defaults` option.
External	The following limitations apply when you configure an external CA: The external CA must be configured on a fresh Lighthouse instance with no Opengear devices or Secondary Instances enrolled. Lighthouse only supports a single external CA. The certificate authority configuration can be updated, but only for the originally configured CA. After an external CA is configured, Lighthouse is unable to revert to its internal certificate authority. To return to an internal certificate authority, a factory reset is required. CA certificate renewals are not currently supported. It is recommended that the CA certificates are valid for a long time (several years). We strongly recommend that you configure external CAs as a multi-tier hierarchy, with a long-lived root CA certificate (10+ years validity), and a long-lived intermediate CA certificate that issues the certificates for use by Lighthouse. Lighthouse does not support rollover of root CA certificates. It is recommended to turn off manual approval of certificates to avoid the possibility of nodes becoming stuck during enrollment.
External	External Certificate Revocation Every four hours, Lighthouse performs a status check to query the external CA using OCSP to determine the status of all active certificates. If the OCSP certificate status is Revoked, LH unenrolls the client, logs this information, and marks the certificate as revoked. If there is a security requirement to immediately revoke a certificate in Lighthouse, without the status check, you can unenroll the affected client. Note: You can also manually run a revocation check. Consider the following: Revoking an Opengear device or secondary certificate results in the Opengear device or secondary being unenrolled from Lighthouse. This is logged in the certificate manager logs. If a user unenrolls a node/secondary, Lighthouse revokes the certificate internally, but you must manually revoke the corresponding certificate on the external CA. For revocation to happen, the certificates must contain the correct OCSP responder details. Lighthouse currently supports only OCSP for revocation.

The Lighthouse CA can be revoked after it has been renewed when all nodes have been notified of the change. Remediate or unenroll any disconnected nodes to complete this operation.
If a node is disconnected from Lighthouse for an extended period of time, it may not be possible to push the updated certificate to the node. Lighthouse will retry the push job regularly until the node's existing certificate has expired, at which point the node will have to be manually re-enrolled.

Precautions

If an old Lighthouse configuration backup is restored to Lighthouse, the node certificate details in the backup may no longer match those on the nodes themselves, in which case the nodes will fail to connect to Lighthouse. Ensure that configuration backups of Lighthouse are kept up to date. Similarly, if a node has its configuration restored from an old backup, its certificate may no longer match the one expected in Lighthouse. In these cases, it will be necessary to unenroll and re-enroll the node. To avoid these situations, ensure configuration backups of nodes are kept up to date.

Note: There is a limitation on Operations Manager (OM) and Console Manager CM8XXX nodes where a Lighthouse VPN connection configuration is not retained in the node backup.

The Lighthouse VPN certificate and client certificates validity periods should be no greater than the CA certificate used to issue them. The existing certificate validity periods can be seen by running the show sub-command and the pre-configured defaults by using the --defaults option.

External

The following limitations apply when you configure an external CA:

The external CA must be configured on a fresh Lighthouse instance with no Opengear devices or Secondary Instances enrolled.
Lighthouse only supports a single external CA. The certificate authority configuration can be updated, but only for the originally configured CA.
After an external CA is configured, Lighthouse is unable to revert to its internal certificate authority. To return to an internal certificate authority, a factory reset is required.
CA certificate renewals are not currently supported. It is recommended that the CA certificates are valid for a long time (several years).
We strongly recommend that you configure external CAs as a multi-tier hierarchy, with a long-lived root CA certificate (10+ years validity), and a long-lived intermediate CA certificate that issues the certificates for use by Lighthouse.
Lighthouse does not support rollover of root CA certificates.
It is recommended to turn off manual approval of certificates to avoid the possibility of nodes becoming stuck during enrollment.

External

External Certificate Revocation

Every four hours, Lighthouse performs a status check to query the external CA using OCSP to determine the status of all active certificates. If the OCSP certificate status is Revoked, LH unenrolls the client, logs this information, and marks the certificate as revoked. If there is a security requirement to immediately revoke a certificate in Lighthouse, without the status check, you can unenroll the affected client.

Note: You can also manually run a revocation check.

Consider the following:

Revoking an Opengear device or secondary certificate results in the Opengear device or secondary being unenrolled from Lighthouse. This is logged in the certificate manager logs.
If a user unenrolls a node/secondary, Lighthouse revokes the certificate internally, but you must manually revoke the corresponding certificate on the external CA.
For revocation to happen, the certificates must contain the correct OCSP responder details.
Lighthouse currently supports only OCSP for revocation.

Configuration

The cert_manage command can be used to control various aspects of certificate management in Lighthouse. The default settings are recommended and should only be changed with caution.

Only users with sudo access on the primary Lighthouse CLI (for example, via the admin group) can configure certificate management.

For more information, see cert_manage and configure an external certificate authority in the CLI.

For configuration in the UI, the Jobs page in the Lighthouse UI shows node certificate update jobs.

For more information, see configure an external certificate authority in the UI.

Scheduling

Certificate renewal jobs are scheduled using cron to run at 1 AM (Lighthouse system time), every day. An administrator may choose to update the frequency of the cron job under /etc/cron.d/rotate_certificates.cron.

For external certificates, Lighthouse performs a status check every four hours to query the external CA using OCSP to get a list of revoked certificates. Lighthouse then revokes those certificates and unenrolls those nodes or secondary instances.

Revocation

For certificate revocation:

For an internal CA (default), node certificates are revoked on node unenrollment or when the certificate is replaced after renewal.
When the certificate is revoked on the external CA, LH unenrolls the node.

Revoked certificates cannot be used to authenticate to the Lighthouse VPN or REST API.

Log File

The certificate management logs can be found in /var/log/cert_manager.log.