Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

LoadMaster Code Signing Certificate Expires 27 May 2022

All LoadMaster releases and associated addon packages are digitally signed using XML-format signature files (a.k.a. 'detached signatures') that conform to the best practices defined by the World Wide Web Consortium (W3C) for XML Signature Syntax and Processing. The XML signature filenames include the filename of the downloaded installation package as a prefix with the extension .checksum.xml.

The digital signing process employs an X.509 code signing certificate that has an expiration date; when the certificate reaches its expiration date, signature validation using this certificate will fail. Therefore, vendors need to update this certificate occasionally so that verification of digital signatures will continue to work.

On 27 May 2022, the certificate used to sign LoadMaster release artifacts for LoadMaster LMOS version 7.2.56.x and prior releases expires. For most customers, this will not impact normal operations, as explained below.

All LoadMaster releases that occur after the above date (e.g., LMOS 7.2.57.0) will be digitally signed using a newly obtained code signing certificate. 

What Does This Mean To You? 

If you're running an LMOS version earlier than 7.2.49.1 (when XML signature verification was introduced), then this will mean no change for you since your current LMOS version doesn't provide an option for checking XML signatures for upgrades and addons.

For later LMOS versions, verifying digital signatures for LMOS images and addon packages will continue to work if the image or addon package was signed with the new certificate. So, for example, you will be able to verify the XML signature in these scenarios:

  • Updating LMOS 7.2.55.0 to LMOS 7.2.57.0 (or a later version).
  • Installing an addon package released with LMOS 7.2.57.0 (or a later version).

Verifying XML signatures will not work if you attempt to update the system with any LMOS update image or addon package signed with the earlier, expired certificate. So, for example, XML signature verification will fail in these scenarios:

  • Updating any LMOS release using an LMOS 7.2.56.0 image.
  • Updating any LMOS release with the 7.2.55.0 Network Telemetry Addon Package.

In these cases, you will need to skip XML signature verification when installing the LMOS image or addon package. This can be done by navigating to System Configuration > Miscellaneous Options > WUI Settings and setting the Update Verification Options parameter to Optional. This allows you to skip XML verification when you install the image. Once the update is complete, XML verification for future upgrades can once again be set to Required (if desired).

Note that if you have FIPS mode enabled, you will not be able to change the Update Verification Options parameter, which is set to Required in FIPS mode. If you need to update a FIPS system to an LMOS version signed with an expired certificate after 27 May 2022, please contact Support for assistance.


Comments