When preparing to update the SSL certificate on your Cloud Enabled Management Internet Gateway and you have a third-party certificate that is expiring soon.

You currently have CEM-enabled managed machines and your SSL certificates are expiring soon on the Internet Gateway.

ITMS 8.x

Using third-party certificates that Expire on the CEM Gateway

Please read each item in this section before completing the solution:

• It is recommended to start this process at least five (5) weeks before the expiration of your certificate. 
• You will receive a "Certificate is about to expire alert" message from the Notification Server 60 days prior to the expiration, see KB article Certificate is about to expire alert.
• If the certificate is already changed on the gateway, or if for any reason the CEM-enabled agents cannot currently connect to the CEM gateway this process will not work since the clients will not be able to receive the updated policy. In that situation, a new "offline CEM Agent install package" will need to be created and sent to the machines that have lost CEM connectivity. This is especially true on machines that neither physically connect to your corporate network directly, nor use a VPN.
• Most of the traffic in CEM mode is encrypted, using the certificate bound to your IIS webservers on the notification server and site servers, not the CEM gateway. As such, the process outlined below is to update the gateway certificate, not the notification server certificate.
• This can be completed with only one internet gateway, unlike previous solutions.
• Your new certificate must be in .pfx format
• If your new certificate is issued by your internal CA, please verify that the clients trust this CA prior to completing these steps.
• If your new certificate is issued by a third-party authority, no certificates need to be distributed to client machines (GoDaddy, Verisign, Thawte, etc.)
• If your new certificate is issued by the SMP agent CA or SMP server CA, no certificates need to be distributed to client machines.
• The process below ADDs a new Gateway Profile to the agent registry when the Thumbprint is Updated / Modified. You do not lose communication with your agents for two (2) weeks as agents will have both Profiles to try, and one Profile will be successful throughout the whole process.  If you have one or two gateways, you can run through this process on All of your gateways at the same time, and not lose any Agent Communications.
• If you plan on installing new agents during the 2 week waiting period, generate a CEM installation package BEFORE making any changes and use that package to install agents during the 2 week window. New agents may not be aware of the old thumbprint if the CEM agent installer is generated after the CEM policy is changed. Existing agents will still have a record of the old thumbprint which they can use until the certificate is replaced/finalized on the gateways.

Solution:

1. Obtain a new Certificate.
   1. Obtain your new SSL certificate intended for use on the CEM gateway. Ensure that the Subject (issued to) of the certificate is the externally resolvable name of the gateway. This is the name the agents will use to find the gateway on the internet.
2. Capture the Thumbprint of the new certificate
   
   1. Install the new certificate to the trusted root of a test machine and record the certificate's thumbprint. You can install the certificate to the trusted root of the gateway for this step, although this is unnecessary. Inside the certificate, the thumbprint is located under Details > Thumbprint (bottom of the details list)
3. Update CEM Settings with the new Thumbprint.
   1. **Before performing this step, please see KB article After updating CEM policy with new certificate thumbprint, agents may lose old thumbprint before it's replaced on the Gateway.
      In your Altiris console, Navigate to Settings > All Settings. From here, navigate to Notification Server > Cloud-enabled Management > Policy > Cloud-enabled Management Settings. Highlight the name of your gateway and click the edit pencil. Replace the thumbprint here with the one from step 2. Click OK.
4. Agents check in and get the new Thumbprint.  Wait 2 weeks.
   
   1. Agents in CEM mode will now need to either wait for the normal configuration update interval, or one can be forced with Resource Membership Update > Policy. Then run the 'update client configuration' task using the 'now' scheduling option.
   2. NOTE: Machines that are offline, but will be in CEM mode when they power on, will need time to update their configuration before continuing. It is recommended to wait at least two weeks before proceeding to ensure as many machines as possible have gotten the policy update.
5. Validate CEM enabled Agents are getting the new Thumbprint.
   1. Verify on a CEM-enabled machine that there is now an additional entry in the registry for the new gateway thumbprint. HKLM\Software\Altiris\Communications\Secure Gateways\{GUID of gateway} DWORD "Cert Thumbprint".  NOTE: the thumbprint will not immediately appear in agent diagnostics > certificates.
   2. For information about Mac Computers, please see KB article How to verify that the new Gateway certificate thumbprint was sent to my MacOs computers.
6. Replace the Certificate on the Gateway.
   1. Copy the new certificate to your CEM internet gateway. Launch the Symantec Internet Gateway Manager as Administrator, and navigate to the General tab. 
   2. There are 2 ways to update the Certificate: 
      1. Click Change on the Web Certificate, and follow the prompts to Import the new Certificate.
      2. Click "SMP Internet Gateway Setup" Click Next twice. Click the radio button for "import 3rd party certificate." Click the select button and navigate to your new certificate. Click Next twice, ensure the radio button for automatically restart services is checked, then click Finish.

NOTE: Any computers that do not get the updated policy before the certificate is replaced on the gateway, will need to either connect to the internal network long enough to get the updated policy data, or to have a new CEM installation package installed.  Connecting through Virtual Private Network (VPN) is usually a good method to put systems on the internal network, and agents will get their CEM certificates when they connect to the SMP this way. 

Other possible workarounds when the Certificate is replaced incorrectly: Agents will also communicate again if the Thumbprint in the new Certificate is updated in the Secure Gateways registry key.  Location: HKEY_LOCAL_MACHINE\SOFTWARE\Altiris\Communications\Secure Gateways\{GUID}\Cert Thumbprint.  If you have a way to update that registry key with the correct GW Thumbprint, the Agent will start communicating through CEM Again.

Steps to replace, renew, and revoke certificates in ITMS 8.x

Cloud-enabled Management for ITMS (Page 31 of this Whitepapere explains the steps required to change the certificate)