App Control: How to Replace Server Certificate in Version 8.x and Higher
search cancel

App Control: How to Replace Server Certificate in Version 8.x and Higher

book

Article ID: 286687

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

To replace the App Control Server certificate used for Agent communication.

Environment

  • App Control Console: All Supported Versions

Resolution

Please Note Prior To Replacing The Communication Certificate:
  • Server 8.9.4 and higher includes a Certificate Delay Swap feature which will show the old Communication Certificate for a period of time before swapping the new one.
  • Server 8.10.2 includes several Communication Certificate enhancements.
  • Server 8.10.2 also includes an Update Schedule option. It is recommended to use the expiration date of the current certificate.
  • The Update Schedule chosen will determine the Certificate Delay Swap.


If using a Self-signed Certificate:
  1. Login to the App Control Console > gear icon > System Configuration.
  2. From System Configuration tab: navigate to: Security > Current Server Certificate > Edit.
  3. Make any necessary updates (such as previous server name, "Valid For" period, etc)
  4. Click Generate.

If using a certificate issued by a Certificate Authority (CA):
  1. Obtain the new, unexpired CA issued certificate for the App Control Server.
  2. Login to the App Control Console > gear icon > System Configuration.
  3. From System Configuration tab: navigate to: Security > Import Server Certificate From PKCS12 File > Browse...
  4. Locate the certificate file, specify the Password and click Import.

After Updating Agent Server Certificate:
  1. The previous Communication Certificate will be displayed in the Current Server Certificate Details for 60 minutes.
  2. If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
  3. It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time as well.

Additional Information

  • The same certificate used for Agent/Server Communications can be used in IIS.
  • The new Agent Communication Certificate will automatically be added to the Trusted Certificates List, with the Trust status as Yes. 
  • In order to remove Trust for the current Agent Communication Certificate, it must first be replaced.
  • There is no option to generate a Certificate Signing Request (CSR) within the Console. Work with the relevant Certificate Authority to obtain a CSR, if required.
  • Newly generated certificates can be found in the local certificate manager of the application server.
  • The Edit button will be missing if Certificate Verification is enabled. Refer to Related Content if it needs to be disabled
  • If the clock is off on the App Control server when regenerated a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated
  • An Alert can be created to warn before the certificate expires.
  • Replacing the certificate IIS Console performance may be slow temporarily per this Document