This article provides a description of the certificates used by the ePO server service, and the process for regenerating them, if needed.
The ePO server service (Apache) in ePO uses certificates to secure communications for the following:
- Communications with Trellix Agent on client computers
- Internal communication with the ePO Application Server service
These certificates are created during the installation of ePO or another Agent Handler. The certificates are all signed by the
Orion_CA, which is a certificate authority unique to every ePO server, created during the ePO install. The
Orion_CA resides on the ePO Application Server service (Tomcat), which issues the certificates.
NOTES:
- It isn't possible to replace these certificates with certificates issued by another certificate authority.
- The certificates are stored in the ssl.crt folder. The paths differ if you select a non-default path at the time of installation.
- ePO Server: C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt
- Agent Handler 64-bit operating system: C:\Program Files (x86)\McAfee\Agent Handler\Apache2\conf\ssl.crt
- Agent Handler 32-bit operating system: C:\Program Files\McAfee\Agent Handler\Apache2\conf\ssl.crt
- The folder contains the following files:
- ahCert.crt
- ahpriv.key
- mfscabundle.cer
- pkcs12store.pfx
- pkcs12store.properties
- In certain situations, you might need the path to re-create or regenerate these certificates.
For example, when ePO is being restored as part of the manual disaster recovery process, as described in KB66616 - ePolicy Orchestrator server backup and disaster recovery procedure.
To regenerate the certificates:
- Stop the ePO Server service:
- Press Windows+R.
- Type services.msc into the field and press Enter.
- Right-click the following ePO service, and select Stop:
McAfee ePolicy Orchestrator #.#.# Server
- Close the services window.
- Make sure that the McAfee ePolicy Orchestrator Application Server service is started.
- Make sure that you can log on to the ePO console using the following:
- Our ePO server's NetBIOS name in the URL.
- An account that's an ePO administrator and uses ePO authentication (not Windows authentication)
You need to use this account later to regenerate the certificates.
NOTE: Certain characters in the administrator username or password cause the certificate regeneration process to fail, although they're valid when logging on to the ePO console. We recommend temporarily changing the password to a simple alphanumeric password. Or, use a new temporary administrator user with a simple password to use during the certificate regeneration process.
When complete, you can change the password back or remove the temporary administrator user.
- For the regeneration process to succeed, the ssl.crt folder must exist and be empty. Locate the \Apache2\conf folder in the ePO or Agent Handler install folder.
- If an ssl.crt folder exists, rename it to ssl.crt.old.
- Create a folder and rename it to ssl.crt.
- Click Start, type cmd in the search field, right-click, and click Run as administrator.
- Change the directories to your ePO installation folder. The default paths are provided below:
| Component |
Path |
| ePO Server |
C:\Program Files (x86)\McAfee\ePolicy Orchestrator\ |
| Agent Handler (64-bit) |
C:\Program Files (x86)\McAfee\Agent Handler\ |
| Agent Handler (32-bit) |
C:\Program Files\McAfee\Agent Handler\ |
- Run the command below:
Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"installdir\Apache2\conf\ssl.crt">
In the above command:
- <ePO_server_name> — The ePO server NetBIOS name
- <console_HTTPS_port> — The ePO console port (default is 8443)
- <admin_username> — The ePO administrator account (see step 3)
- <password> — The password for the ePO administrator account (see step 3)
- <installdir\Apache2\conf\ssl.crt> — The full path to the empty ssl.crt folder (see step 4). Make sure that you enclose this path in double quotes.
Example:
Rundll32.exe ahsetup.dll RunDllGenCerts epo_server_name 8443 administrator password "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"
IMPORTANT:
- The command fails if you've enabled User Account Control on this server. If the server is running Windows Server 2008 or later, disable this feature.
For details, see the User Account Control Step-by-Step Guide from Microsoft.
- The RunDllGenCerts parameter is case-sensitive.
NOTE: In normal use, the command doesn't produce messages when it runs. After a few seconds, the ssl.crt folder is populated with the following certificate files:
- ahCert.crt
- ahpriv.key
- mfscabundle.cer
- pkcs12store.pfx
- pkcs12store.properties
A log file is created ahsetup_<ePO_server_name>.log.
- Open this log file in a text editor. If the regeneration is successful, the log ends with the following lines:
AHSETUP The Agent Handler successfully connected to the ePO server.
AHSETUP Successfully created the Agent Handler certs.
AHSETUP Successfully created the Agent Handler CA Certificate.
AHSETUP Successfully imported the PKCS12 Certificates.
- Start the ePO server service.
