To enable secure and confidential communication between GigaVUE-FM, GigaVUE-OS devices and other network entities, it is important to deploy, manage and update the required certificates. By default, GigaVUE-FM and the GigaVUE-OS devices come up with self-signed certificates. However, you can also deploy custom certificates signed by the Certificate Authorities (CA). This requires you to manually install the certificates and map the certificates to the web.

Starting in software version 5.13.01, GigaVUE-FM and the devices support Automated Certificate Management Environment (ACME) protocol that allows automatic certificate signing and deployment between Certificate Authorities (CAs) and GigaVUE-FM, GigaVUE-OS devices web servers. If your devices and GigaVUE-FM instances are running software version 5.13.00 or lower, ensure to add all the devices to GigaVUE-FM, upgrade the devices and GigaVUE-FM to software version 5.13.01 for the ACME protocol to be functional.

How ACME Works

The ACME protocol is based on the principle of client-server communication:

  • ACME Server: Runs at a Certificate Authority, for example, Step-ca . The ACME server responds to the client requests and executes the requested actions (issue, renew, revoke) once the client is authorized.
  • ACME Client: Runs on the user’s server or device that needs to be protected by the PKI certificate. The ACME client uses the ACME protocol to request the ACME server running in CA to perform the certificate management tasks such as issue, renew, revoke of certificates.

An ACME server and a client must be appropriately configured. The client sends requests to the server and the server receives the requests and issues certificates for the client. The ACME server and the client communicate over a secure HTTPS connection using JSON messages.

Note:  For more details about the Automatic Certificate Management Environment protocol, refer to RFC 8555.

ACME Configuration in GigaVUE-FM and the Devices

ACME client is configured in both GigaVUE-FM and the GigaVUE-OS devices, and takes care of the following operations by contacting the ACME server that runs in a Certificate Authority:

  • Issue of Certificates
  • Renewal of Certificates
  • Certificate Revocation

The following diagram shows how ACME works in GigaVUE-FM and the devices:

Refer to the following table for a summary of the ACME process in devices and GigaVUE-FM:

Task In Device In GigaVUE-FM
Certificate Issuance and Renewal

The ACME Client is installed in the devices and takes care of automatic issue/renew/revoke of the HTTPS certification of the devices.

Issuance:

After the certificate is downloaded, the device will automatically update the ACME issued certificate for web operation.

Renewal:

  • Both manual and automatic renewals are supported.
  • Auto renewal timers are started in the device based on the configured value (default is 1/3rd days before the certification expiry).
  • Note:  If the user provided auto renew days is > (expiry date – today date), then default renewal days will be calculated (1/3rd days before expiry).

  • Both public and private keys are renewed.

The ACME client is installed in GigaVUE-FM and takes care of automatic issue/renew/revoke of the HTTPS certification of GigaVUE-FM (standalone GigaVUE-FM instances and also instances in a HA group).

Issuance:

After the certificate is downloaded, GigaVUE-FM will automatically update the ACME issued certificate for web operation.

Renewal:

  • Both manual and automatic renewals are supported.
  • Auto renewal timers are started in GigaVUE-FM based on the configured value (default is 1/3rd days before the certification expiry).

 

Certificate Revocation

Upon receiving revoke command (from GigaVUE‑FM), the device:

  • Re-issues a new certificate and maps it for the HTTPS operations.
  • Sends a revocation request to the ACME server and deletes the same from the device cache.
  • Note:  The certificate revocation process renews the certificate first followed by the revocation. This is to avoid the down time of the web server .

Revoke operation in GigaVUE-FM:

  • Initiates re-issue of new certificate
  • Followed by revocation of the existing certificate.

Once the re-issue and revoke operation is successful, the newly issued ACME certificate will be activated as the Web certificate. If revoke fails, GigaVUE-FM will fall back to default certification mode.

Clear Certificate Clear operation clears the ACME issued certificate from the devices and maps the web certificate to the default certificate. This command also cancels the auto-renewal timers that are started by the ACME client in the device Deleting the ACME issued certificate results in GigaVUE-FM falling back to the default certification mechanism.