The content of this article is also available as a video on our
YouTube channel.
Workflow of the certificate migration process:
Certificate Regeneration
- SHA-2 based Root and Intermediate certificates are regenerated on the ePO server for all managed products that use MFS ROOT_CA for TLS/SSL communication. The certificates are placed in a temporary location on the ePO server.
- On successful regeneration of a new Sitelist.xml, an agent package is created. During this stage, ePO distributes Sitelist.xml and checks for certificate distribution progress.
Certificate Activation
- The ePO server takes a backup of the original certificate, and moves the newly generated certificates in the temporary folder to the active keystore folder.
Finish or Cancel migration
- On selection of Finish Migration, the old certificate (original) that was backed up is deleted. Then the new certificates are set to active.
- On selection of Cancel Migration, the old certificate (original) that was backed up is moved back to keystore folder. Then they are activated.
- Because the certificate activation process is not activated, it reverts the user interface to show as SHA1WithRSA. The new certificate from the temp folder is deleted and restores the old SHA-1 certificates back to work.
Detailed steps (actions taken on the Certificate Manager page in the ePO console):
Clicking 'Regenerate Certificate'
- By default with SHA-1, the MA-sitelist contains two sets of certificate information. Whereas when you click Regenerate Certificate, it has four sets of certificate information for SHA-2.
- Also, it creates the keystoreTemp folder under (ePO\server). It contains the following four files:
- AgentHandler.keystore
- Ca.keystore
- ClientAuth.keystore
- Server.keystore
- You can verify audit log with the same time stamp Action Regeneration Completed, if it is successful.
- You can look at the Sitelist.xml file with the modified date and time stamp to verify it matches with keystoreTemp and audit log entries.
- You can see that two more entries are added to the EPOServerCerts and EPOServerCertsBackup. Which has two old entries, and are used while clicking cancel migration to help to revert to SHA-1.
- Hash Algorithm SHA1withRSA states that the certificate migration process is not finished in converting from SHA-1 to SHA-2.
- The certificates from the sitelist are received at the client system and updates the CABUNDLE.cer file. When an ASCI triggers, it downloads the updated sitelist with SHA-2 certificates to the client system.
- When completed, the completed percentage indicator changes for the certificate Manager in the ePO console. It stats the certificate was received at the client, indicating that you are ready to click Activation.
Clicking 'Activate Certificate'
- Only click Activate when the status is 100%. A 100% indicates that all clients received the new SHA-2 through the ASCI.
- If you click Activate & Progress when it shows less than 100%, the clients do not receive the SHA-2 certificate. As a result, the clients fail to contact the ePO server.
- Clicking Activate changes the KeystoreTemp to KeystoreBackup, and moves all data from the keystore folder to the backup folder.
- To see that the activation has completed, view the Audit log for the same time stamp. Or look at the date the folder name, KeystoreBackup was modified.
Clicking 'Finish Migration'
- This point where the following is deleted is crucial because it has been migrated to SHA-2:
- The backup content from the server\KeystoreBackup folder
- Content from the EPOServercertificatesBackup table.
- Verify on the client system that the changes have been applied from the ePO certificate regeneration.actis:
- On the client system, look at the cabundle.cer file modified time. This time is that the ASCI receives the new updated sitelist certificate information and updates the cabundle.cer file.
- Verify that the file is updated with SHA-2 information before clicking Activation on the ePO console. Use this method if you want to confirm manually, rather than rely on the percentage count from Certificate Manager page.
- Edit the cabundle.cer file through a text editor. For example, open with Notepad or Notepad++ to see two sets of certificates: One for SHA-1 and four sets of certificates for SHA-2.
The above confirms that the client received the certificates for SHA-2. By clicking Finish Migration in ePO, it changes the system to SHA-2, and allows ePO to connect to the client successfully.
- Verify the certificate information in the cabundle.cer file is the same according to Sitelist.xml on the ePO server.
- Use the following query to track systems using the SHA-2 certificate, after certificate migration displays incorrect results based on the time zone:
SELECT * FROM OrionCertStateManager WHERE ProductID = 'agentHandler.keystore'
- Use the following SQL scripts to verify the status of the certificate migration:
- SQL query to show the status of the migration process. For example: Regenerate, Activate, Finish Migration.
Select * from OrionCertStateManager
- SQL query to show the certificates for the ePO SHA-1 and SHA-2:
Select * from EPOServerCerts
- SQL query to show the backup certificates, after clicking the Regenerate option before finishing the migration:
Select * from EPOServerCertsbackup
