This article explains how to regenerate all
X.509 certificates used by TIE server, including the TIE CA.
When this procedure is needed
This procedure is required after an upgrade of ePolicy Orchestrator (ePO) to 5.9 if the ePO root certificate is regenerated using the Certificate Manager. Otherwise, the TIE server stops operating. Also, the procedure can be used when you want to renew the TIE server certificate if the local certificate management policies need it.
IMPORTANT: You must schedule a downtime to restart your TIE servers after you regenerate the certificates.
Renew the CA, Certificate, and Private Keys
NOTE: Repeat all procedures and steps mentioned below for each ePO server instance.
- Log on as an Administrator and delete these files:
- C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore\tie.keystore
- C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore\TIEServerMgmt.crt
- C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore\TIEServerMgmt.key
- C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Server\keystore\TIEServerMgmt_CA.crt
- In a browser, navigate to the following path:
https://<epo host>:8443/remote/tie.createTieCaCommand
The message OK: CA generated displays.
- In ePO, select Server Tasks, Actions, and then click TIE server Synchronize CA.
- Log on to each TIE server as root.
- Run the following command:
reconfig-cert
The message INFO New Signed Certificate received displays. The TIE server has renewed its CA, certificate, and private keys.
Verification steps
To confirm that the procedure is successful, perform the steps below:
- Verify DXL connectivity and the replication status. Go to the ePO Server Settings, select TIE server Topology Management, and verify that the Health Status for each TIE server system displays OK for the Database replication.
- Check the dashboards. Go to the ePO Dashboards and select TIE Server Files, TIE Server Certificates, and TIE Server Data Cleanup. No errors must display.