MPKI certificate errors in Servers and Detectors Overview for the Enforce Server

book

Article ID: 209406

calendar_today

Updated On:

Products

Data Loss Prevention Cloud Service for Email Data Loss Prevention Cloud Detection Service Data Loss Prevention Cloud Detection Service for ICAP Data Loss Prevention Cloud Detection Service for REST

Issue/Introduction

We are seeing those MPKI certificate errors popping up in the error log for the servers in Servers and Detectors Overview for the Enforce Server:

<Yellow alert4205 Managed PKI Service certificate expires in <x> days.

<Red alert4202 Cloud Service Renewal Enrollment: error requesting client certificate from Managed PKI Service.

Cause

The Cloud Certificate for your DLP Cloud Service is good for 3 years from the original Enrollment date, and is about to expire. The 4205 Event Code appears when the existing certificate is within 30 days of expiry.

For customers on Enforce version 15.1 and above, the Cloud Service Gateway initiates the renewal of this certificate through an automated process, shipping the new bundle to Enforce.

Afterward, the DetectionServerController service attempts enrollment of the Renewal Bundle. If access to the PKI Manager is not obtained, this fails with the 4202 Event Code.

Environment

Release :

Component :

Resolution

Ensure that the Enforce console services have outbound access on port 443 to the following URL for the PKI Manager:

https://pki-scep.symauth.com/

Changes to your network proxy or firewall should not require any action on the Enforce server - the re-enrollment should be successful at the next attempted upload.

If this requires changes to the Cloud Proxy Settings on Enforce, however, ensure the DetectionServerController service is restarted afterward.

Attachments