Skip to main content
  • EN

Share your experience on AM2 Root Certificate Rotation

  • 12 July 2024
  • 4 replies
  • 221 views

Hello all,

This is the start of a thread about AM2 Certificate Authority Rotation as we are getting closer to August deadline.
The goal of this thread is not to provide a guide of the migration. You can find plenty of great explanation in the official docs:
https://docs.netskope.com/en/netskope-root-certificate-rotation-guide-1/

and also in our recent webinar here: 


However, if you have any question, please feel free to ask questions here.
Or if you don’t know who is your CSM or Sales Representative, we can help you as well in this transition.

As feedback are provided, we will also put more comment here.

4 replies

mherbinet
Rank
Userlevel 2
Badge +11

Maybe you have finished your CA migration. So congratulations.
 


However, you noticed that red warning still shows up in landing page, this is expected, please reach out to your Netskope sales representative, your CSM or your Netskope partners so they can flag your migration as complete. Only at this time, this warning will disappear.

On the other hand, maybe you did not complete migration and you are wondering why there is NO CONSEQUENCE SO FAR as timer indicates there is 0 days left and you are actually past deadline.
Deadline is kind of virtual in order for Netskope to be able to help all customers. Hard stop is August 8th, and they will be consequences if nothing is done ! If you didn’t migrated yet, please do so and ask for help to your Netskope sales representative, your CSM or your Netskope partners to avoid any service impact.

mherbinet
Rank
Userlevel 2
Badge +11

Maybe you’ve noticed there is a warning under Reverse Proxy for NPA (Clientless access for NPA - Browser Access), but when you try to migrate certificate, it shows this error “Identifier X not present in config for svc saml”:
 

Error when attempting to update Reverse Proxy for NPA

This is currently a bug in UI. AM Certificate Authority is actually not being used at all for Clientless NPA, and there should not even be a button (in Netskope UI) in this case for trying to update certs. This menu will just disappear in R119.
Some customer does not even use NPA Clientless, but anyway no concerns here 😀 

mherbinet
Rank
Userlevel 2
Badge +11

As a reminder, prerequisites prior to CA rotation is to have Endpoint updates to R111 as a minimum.
If you use IDP enrolment or NPA Reauthentication feature, you should update from R114 to R115 as a minimum  - because of an isolated bug on this topic in R114 where update is not transparent and requires reinstallation (which is not convenient...)

If you want to have a clue on your overall Release version fleat, go to the following menu
Digital Experience Management > Tenant Overview > Client Version in use 



Alternatively, you can also go to Settings > Security Cloud Platform > Netskope Client > Devices and it will show you Netskope Client Version for your registered devices.

mherbinet
Rank
Userlevel 2
Badge +11

It’s D-Day.
We have customers reporting a Netskope Pop Up asking to update CA store for MAC OS users only.
This behavior looks like a Netskope Client bug. We are investigating.
An IMF has been created and listed as IMF-1103.

We will be communicating more on support portal soon.

For time being, best approach is either to type password or validate Touch ID, OR move the pop-up on the side of the screen.
However, popup will resume everytime computer is rebooted or everytime tunnel is re-established.

Reply


Terms & ConditionsCookie settings