Skip to content
  • There are no suggestions because the search field is empty.

NetWitness Live Content stops updating after July 2025 due to expired root CA on the Live Server

Issue

An Administrator may notice that the available content within the Centralized Content Management (CCM) Content Library shows that the "Last Updated" column never  updates beyond July 18th, 2025. This is more apparent on frequently updated content, such as Live Feeds and the GeoIP databases, the latter of which are updated almost daily. 

NetWitness Live Content stops updating after July 2025 due to expired root CA on the Live Server

NetWitness Live Content stops updating after July 2025 due to expired root CA on the Live Server


Cause

Entrust, which served as the Certificate Authority (CA) that signed the NetWitness Live Server's SSL certificate was purchased recently by Sectigo. As a part of that process, they reissued SSL Certificates to all customers using their new Sectigo CA. Because this occurred after the most recent release of NetWitness (12.5.1.3), the current release does not trust Sectigo CA signed SSL certificates by default. 


Workaround

  • Create a new certificate under /root/
    vi /root/Sectigo_R36.crt

    • and add the following contents:
      -----BEGIN CERTIFICATE-----
      MIIGlTCCBP2gAwIBAgIQOhuMOv8xwjAJ8mPgab9XEjANBgkqhkiG9w0BAQsFADBg
      MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPU2VjdGlnbyBMaW1pdGVkMTcwNQYDVQQD
      Ey5TZWN0aWdvIFB1YmxpYyBTZXJ2ZXIgQXV0aGVudGljYXRpb24gQ0EgRFYgUjM2
      MB4XDTI1MDcyMTAwMDAwMFoXDTI2MDcyMTIzNTk1OVowHTEbMBkGA1UEAxMSY21z
      Lm5ldHdpdG5lc3MuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
      vFvVjY2swq/DanvDOisShnpzrb4ndSdTpmr9dcid+ZvpjALf/i5yfgfKv8FW7fyQ
      Zf61aS6MODeRL6oEPVJyHQe3CrLQ4Xapl6ZwlJjBrMgfvWGTt65PtWm3nSDy/0RN
      7f/opZC/MT642N6mziK9otyyoss0WkPt5qvoWoXb26trLzw4mi5EfWG8oUhBnP/Z
      hCG3f4sro8OfVMHrHUxdGarWKG3kQAbOOWuZQgiydNbSX6BJVQNzKkzIsXAZARm9
      Zn6CHxUVJ8oKBZLtACxTNs0L7CWN7yIFHgP81qyyuzWce8zsfQBy5OlJ5xLI8EDh
      Dh+M5EL6kwEHAhCaweuqOwIDAQABo4IDDDCCAwgwHwYDVR0jBBgwFoAUaMASFhgO
      r872h6YyV6NGUV3LBycwHQYDVR0OBBYEFDr+JS5RKqhSwM6WQ2EB3ky2DpLSMA4G
      A1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMB
      BggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgIHMCUwIwYIKwYBBQUH
      AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhAYIKwYBBQUH
      AQEEeDB2ME8GCCsGAQUFBzAChkNodHRwOi8vY3J0LnNlY3RpZ28uY29tL1NlY3Rp
      Z29QdWJsaWNTZXJ2ZXJBdXRoZW50aWNhdGlvbkNBRFZSMzYuY3J0MCMGCCsGAQUF
      BzABhhdodHRwOi8vb2NzcC5zZWN0aWdvLmNvbTA1BgNVHREELjAsghJjbXMubmV0
      d2l0bmVzcy5jb22CFnd3dy5jbXMubmV0d2l0bmVzcy5jb20wggF+BgorBgEEAdZ5
      AgQCBIIBbgSCAWoBaAB2ANgJVTuUT3r/yBYZb5RPhauw+Pxeh1UmDxXRLnK7RUsU
      AAABmC28+fMAAAQDAEcwRQIgdFf8E6M91QeRw0G4y1aWbLKo+Qv2I8KhMUSW5xq8
      DTUCIQDWzzZjycUMwb0T3FwffAuzDvsPRxSwotIwleWzka7daQB1AKyrMHBs6+yE
      MfQT0vSRXxEeQiRDsfKmjE88KzunHgLDAAABmC28+cgAAAQDAEYwRAIgYtsf7oES
      OwstTBRL95Cs4xJu0EtbgRJsqJTobOcQVB4CIBN72YCHs2kUVlc19t74pDgIhacY
      JRAXM/mbMzoA2+haAHcA1219ENGn9XfCx+lf1wC/+YLJM1pl4dCzAXMXwMjFaXcA
      AAGYLbz5fgAABAMASDBGAiEA0ueYOSK/3+xQV5ZlaEb1MypnZN+sn+dGC0SRe1FZ
      jp8CIQCXw6/WBH57jc/gJWHdKoRzWYt8odj8kqCakPZTmx0bazANBgkqhkiG9w0B
      AQsFAAOCAYEAb3qHvG88TNuIp/VcnmQpBRWDwvLMvGZ7K3x51eSb08IyVgjP8flF
      XxkwDSfFP/PUnUzetcMBeLFOiXy+Gnj+EKmKsqY97HovY8mXSkP0Vocf0TGopAsi
      /5muVtKPtvni52U59VAZef14rz1AKSG6fiixLJv9zsSwHaunvofKdubF2NRtg+4D
      U1+NTxaVjoAzNeb9TRykamesn4ew05HRGI+uQmyAN4K1OZXegOPwhRIZ66ZpPhf1
      QWel2HQxOnmWnDgaXEzQkfAHLsT8zn7JeogprhJoFa3TQED+z5jPWG0+joz5/lCD
      9dVyMj1L6XRfEnwZoDHtWDTXVKHpwMwyP9Z5Bj7o8w25gyCZbba3D6HFx1Ga2BTS
      wvmRlS5oAU1UaVbf9bXMO/H2vBzkNakxq7r/xZ0TxvgTjGZnPuq7ySDtzisTJaN5
      MsEYyxvdV9oMZTX9Syw1nSSeDctmeOe/TJYHNPZBjqqvM0yIzKaMv3Ig509qBtKU
      J1MiOZlwrBUU
      -----END CERTIFICATE-----


  • Copy it to /etc/pki/ca-trust/source/anchors/
    cp /root/Sectigo_R36.crt /etc/pki/ca-trust/source/anchors/
  • Run the following command:
    update-ca-trust extract
  • Run the following command:
    keytool -import -trustcacerts -alias sectigo-r36 -file Sectigo_R36.crt -keystore /etc/pki/ca-trust/extracted/java/cacerts -storepass changeit
  • When prompted, type "yes" and ensure this message confirms it was added to the keystore:
    Trust this certificate? [no]: yes
    Certificate was added to keystore
  • Restart the following services:
    systemctl restart rsa-nw-security-server rsa-nw-source-server
  • Wait about 10-20 minutes for the new content to be download (the GeoIP is large and can take some time depending on the network speed). Then check the dates to ensure they are reflecting dates later than July 18th, 2025:
    NetWitness Live Content stops updating after July 2025 due to expired root CA on the Live Server
    NetWitness Live Content stops updating after July 2025 due to expired root CA on the Live Server

Resolution

The next release of NetWitness will have SSL certificates signed by Sectigo trusted by default for the NetWitness Live Content Server. In the meantime, please see the workaround section below to manually add the CA to the trusted CA certs within NetWitness. 


Product Details

NetWitness Product Set: NetWitness Logs & Network
NetWitness Product/Service Type: NetWitness Admin-Server, Centralized Content Management, Live
NetWitness Version/Condition: 12.x
Platform: AlmaLinux


Summary

When viewing content within the Centralized Content Management Content Library, an administrator notices that Live Content that is frequently updated has not been updated since July 18th, 2025.


Approval Reviewer Queue

Technical approval queue