Forcepoint DLP CA.CER Certificate Expires Every 5 Years / DLP Certificate Recreation Procedure

Important Ensure that a recent and valid DSSBackup has been taken prior to performing these steps.

If the Forcepoint Security Manager was first installed on v8.3 (or earlier) and will integrate with Forcepoint Behavioral Analytics (FBA), there is a requirement to recreate the CA certificate. This is even if the Forcepoint DLP Manager has been upgraded since its initial installation.

Forcepoint Behavioral Analytics (FBA) can only integrate with the Forcepoint DLP Manager if the CA certificate is in a x509 version 3 format. Any DLP manager that has been upgraded from v8.3 or earlier will have a CA certificate in the x509 version 1 format propagated through all its subsequent upgrades. This will not work for the FBA integration piece for DDP.

To watch a video detailing this process, see Video: Recreating the Forcepoint DLP Certificate Chain.

Additional details about ca.cer are available in Root CA Certificate Utilization in a Forcepoint DLP Environment.

Main Reference:
https://confluence.cloud.fpdev.io/pages/viewpage.action?spaceKey=TEG&title=Recreate+certificates+procedure

Note In regards to the Forcepoint Management Infrastructure component's certificates expiring, refer to The Forcepoint Management Infrastructure CA.cer certificate is about to or has expired for more information.

In the case of jetty.cer and activemq.cer being expired while ca.cer is still valid, see "Certificate Issues" in Troubleshooting Websense Data Security Message Broker (ActiveMQ) Issues for a potential alternate solution.
If the customer uses a custom signed Endpoint Server certificate for DLP Endpoint communication (as described in Applying Custom Signed Forcepoint DLP Endpoint Server Certificates), then the Endpoint steps in this article would not apply to them.

If you plan on keeping the old ca.cer for the EP servers (see below): in order to retain current Endpoint connectivity, you must backup ca.cer, host.key, and host.cer located under %DSS_HOME% on every supplementary Endpoint server in this system. 
 

Optional - Retaining Previous (Unexpired) EP Certificates

Alternatively, the original certificates can be used in cases where ca.cer has not expired and the certificate recreation is performed for other purposes. This need to be done on ALL Endpoint Servers excluding the FSM. It serves to recover Endpoint connectivity without having to reinstall them.

• Rename the backed up ca.cer to ca-v1.cer and copy it to %DSS_HOME%
• Rename the backed up host.cer to host-v1.cer and copy it to %DSS_HOME%
• Rename the backed up host.key to host-v1.key and copy it to %DSS_HOME%
• Open %DSS_HOME%apache\conf\extra\httpd-ssl.conf in a text editor and perform the following modifications:
  → Replace all occurrences of "ca.cer" with "ca-v1.cer" (3 occurrences)
  → Replace all occurrences of "host.cer" with "host-v1.cer" (2 occurrences)
  → Replace all occurrences of "host.key" with "host-v1.key" (2 occurrences)
• Restart the "Websense Data Security Web Server" service

The DLP Endpoints will connect back using their old certificates.

DO NOT revert the CA.cer of the Apache server running on the FSM. Doing so will break some components' internal communication and updates (Including ResourceResolver syncing), causing unexpected system issues.

As a general note - The FSM should not be used to serve Endpoint clients regardless of this procedure.

If you choose to keep using the old certificates for the Endpoint Servers, follow these steps when building a new package for DLP Endpoint deployment:

While building the EP installation package, %DSS_HOME%ca.cer is taken by the builder. In order to keep the 'old' ca.cer, follow the steps below on the DLP Management Server:

• Rename %DSS_HOME%ca.cer (Newly generated) to ca-v2.cer
• Rename  %DSS_HOME%ca-v1.cer (Original) to ca.cer
• Run the Endpoint Package Builder and complete the process (It will use the ‘old’ ca.cer now found in %DSS_HOME%)
• Rename ca.cer to ca-v1.cer
• Rename ca-v2.cer to ca.cer

This process will be changed when the builder takes %DSS_HOME%client\ca.cer when building packages instead, which is set for a future version.

Internal References:
https://jira.websense.com/browse/EI-21145
https://jira.websense.com/browse/DLP-4429

Certificate Recreation Procedure does not Replace Camel Certificates (8.6+):
https://jira.cloud.fpdev.io/browse/DLP-4820

Updating the CA.cer location during EP package building:
https://jira.cloud.fpdev.io/browse/UEP-34850
https://jira.cloud.fpdev.io/browse/EPR-108

Extending the ca.cer validity period in a future release is unlikely due to the complexity involved in updating the various certificates to either have an extension option or to have a longer validity period. This is a work in progress, however. At this point in time, customers will have to regenerate their certificates every five years.