Showing results for 
Search instead for 
Did you mean: 

Update Stealthwatch Management Console Identity Cert - Best Practice?

I have an SMC, Flow Collector, and Flow Sensor VMs deployed. They are all on version 7.0.


When I initially added the Flow Collector and Flow Sensor VMs to SMC I accepted the default self-signed SMC cert. I'm going to be replacing the SMC identity cert with one signed by a CA.  


In all the documentation I read on doing this it cautions "Your certificates are critical for your system’s security. Improperly modifying your certificates can stop Stealthwatch appliance communications and cause data loss."


Is there a best practice on how to do this without breaking my SMC, FC, and FS deployment? Do I have to remove the FC and FS from SMC, update the SMC identity cert, add the chain to the FC, FS then re-add the FC and FS? Or do I just add the chain to the FC and FS then update the SMC identity cert, then reboot the FC and FS without removing them from SMC?


Any help is appreciated as I don't want to permanently break my deployment.

Cisco Employee

See page 133 of the document that you referenced titled "Changing Appliances After Configuration".  There is a great big note there that says:


The appliance identity certificate is replaced automatically as part of this procedure. If your appliance uses a custom certificate, please contact Cisco Stealth-watch Support to change these settings. Do not use the instructions shown here. Make sure you have a copy of the custom certificate and private key.


You should definitely initiate a call or contact with Cisco Stealthwatch  Support.

Brian Ford | | | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

I appreciate the reply. I was able to update the identity certs without breaking the system. Here's the procedure that worked for me in case anybody comes across this thread in the future:


1) Add the Root CA, intermediate CA, and new identity certs to the Trust Stores on the SMC, FC, and FSs.

2) Update the identity cert on the FC. Wait until it says it's going to reboot.

3) Update the identity cert on the SMC. The SMC will reboot as part of this process.


That's all there is to it. I rebooted all the devices a couple times to make sure they are all able to communicate and still process flows.

Content for Community-Ad