An issue has been found in the Universal Orchestrator Framework that could prevent deployment of renewed certificates due to a security change in Command 10.3 designed to prevent private key leakage.
Our team is actively working to resolve this matter promptly.
Our team has created a solution to this issue, please see Mitigation section below for the update.
Issue Summary:
In v10.3 Command introduced a feature to remedy a security issue where a user with access to a certificate store could gain access to the private key of a new certificate issued in the future by the following steps:
- Acquire the certificate (no private key) for a certificate store that belongs to another security group.
- Place that certificate in a certificate store managed by Command that you control.
- Renew the certificate in Command (one-click or renewal handler).
- New certificate and private key are delivered to your certificate store.
Keyfactor determined that there is not a use case for automatically pushing private keys of renewed certificates to locations where the old certificate's private key is not present, so in v10.3 the renewal behavior was accordingly modified. Management Add Jobs are no longer created during renewal to target certificate stores that do not already hold private keys for the certificate being renewed.
Some integrations do not report the true status of private key presence, usually due to limitations in target system APIs. Integrations must report a private key status value, so in cases where the value cannot be determined, a default value of “false” was commonly returned, With the 10.3 change, this default value prevented renewal jobs from being scheduled, so integrations have been updated to default to “true” where appropriate.
Unfortunately, a bug in the logic of the UO framework prevents changes in private key status for already inventoried certificate stores from being relayed to Command. This means that updating the integrations that default to reporting “false” for private key presence to versions the report “true” or the actual status, does not correct the issue of renewal jobs not being scheduled.
Impacted Customers:
The following certificate store types may be impacted:
- Azure Application Gateway
- Citrix ADC
- F5-CA-REST
- F5-SL-REST
- F5-WS-REST
- GCP Load Balancer
- Palo Alto
If you are using one of these extensions, it is recommended to create a new collection and use that collection to run a Full Certificate Extract report. The report allows you to see the locations the certificates are currently in by looking at the “Client Machine” and “Store Path” columns.
The collection should find certificates with an IssuedDate greater than the date of the Command Upgrade to 10.3 or higher. Set Ignore Renewed Certificates to the value that makes sense for how you have your renewals configured.
When the report runs, review the locations the certificate is found at and ensure it is where you expect it to be.
Mitigation:
This bug was fixed in v11 of the Universal Orchestrator. As some customers may not want to upgrade to Command v11 yet, we have also released a hotfix for the Universal Orchestrator 10.4.2.
Options to remedy at present are:
- Upgrade to Command and Orchestrator Framework v11 and verify you have the latest version of the integration extension being used. If not, update the integration extension as well.
UPDATED
- Upgrade to Orchestrator Framework v10.4.2 and verify you have the latest version of the integration extension being used. If not, update the integration extension as well.
Related to: