CAUTION: Read the instructions carefully
before you continue with the steps. Failure to wait for sufficient agent saturation in step 5 can result in large numbers of agents failing to communicate until the agent is reinstalled.
To remediate vulnerabilities in your ePO environment, migrate your existing SHA-1 certificates to certificates that use the more secure SHA-2 algorithm. A fresh installation of ePO 5.10 installs the latest hash algorithm certificates.
If you upgrade ePO from an older version, migrate the SHA-1 certificates to SHA-2 certificates using the following steps:
- Log on to the ePO console as an Administrator.
- Click Menu, Configuration, Certificate Manager.
NOTE: The Certificate Manager page provides information about the installed Root Certificate, Agent Handler certificates, server certificates, and other certificates derived from the ePO root Certificate Authority (CA).
- Click Regenerate Certificate.
- To confirm the certificate generation, click OK.
The ePO root CA and other certificates derived from the root CA are regenerated and stored in a temporary location on the server. The time needed to generate the new certificates varies depending on the number of Agent Handlers and Extensions that derive certificates from the ePO root CA.
- Wait for sufficient saturation of the new certificates after certificate regeneration completes BEFORE you continue.
As the agents communicate in their normal agent-to-server communication interval, they're handed a new certificate that uses SHA-2.
NOTE: You can view the certificate distribution percentage in the Product: Agent Handler section of the certificate manager. This percentage gives you information about how many agents have received the newly generated certificates and how many are pending. The distribution percentage is calculated based on the agent-server communication after the certificates are regenerated. This design means that unmanaged clients or clients that are inactive affect the percentage.
IMPORTANT: Before you continue, make sure that the distribution percentage reaches as close to 100% as possible. Otherwise, the pending systems won'’t receive the newly generated certificates and will be unable to communicate with the ePO server after the certificates are activated. You can stay in this state for as long as needed to achieve sufficient saturation.
After you click Activate Certificates, the agents that use the old certificates must be reinstalled to restore agent-to-server communication.
- Click Activate Certificates to carry out all future operations using the new certificates after you're satisfied with the saturation of the SHA-2 certificate in your environment.
A backup of the original certificate is created.
- Click OK on the warning if you agree to reinstall the agent on any remaining agents that haven't yet communicated and received the new certificate.
- Perform the following steps after the certificate activation is complete:
- Stop the Agent Handler services (including the Remote Agent Handler services).
- Restart the ePO services.
- Start the Agent Handler services.
- Monitor your environment and make sure that your agents communicate successfully before you finish the migration.
You can cancel the migration at this point to roll back the certificate and restore agent-to-server communication. But, this action isn't possible after you've completed the next step.
- Click Finish Migration to complete the certificate migration.
The certificate backup created during activation is deleted.
IMPORTANT:
- If you're using a TIE server, you must perform the migration steps listed in the article below after completing this step.
If you encounter any issues during the migration process, click
Cancel Migration to revert to the previous certificates. If you cancel the migration, you
must stop the Agent Handler services, and restart the ePO services and Agent Handler services.
You can start the certificate migration again after you resolve the issues.
