Replace the Server Certificate
search cancel

Replace the Server Certificate

book

Article ID: 286687

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to replace or update the Server certificate used for Agent communication.

Environment

  • App Control Console: All Supported Versions

Resolution

Please Note Prior To Replacing The Communication Certificate:
  • Server 8.9.4 and higher includes a Certificate Delay Swap feature which will show the old Communication Certificate for a period of time before swapping the new one.
  • Server 8.10.2 includes several Communication Certificate enhancements.
  • Server 8.10.2 also includes an Update Schedule option. It is recommended to use the expiration date of the current certificate.
  • The Update Schedule chosen will determine the Certificate Delay Swap.



If using a Self-signed Certificate:

  1. Log in to the App Control Console > gear icon > System Configuration.
  2. From System Configuration tab: navigate to: Security > Current Server Certificate > Edit.
  3. Make any necessary updates (such as previous server name, "Valid For" period, etc)
  4. Click Generate.


If using a certificate issued by a Certificate Authority (CA):

  1. Obtain the new, unexpired CA issued certificate for the Server.
  2. Log in to the App Control Console > gear icon > System Configuration.
  3. From System Configuration tab: navigate to: Security > Import Server Certificate From PKCS12 File > Browse...
  4. Locate the certificate file, specify the Password and click Import.


After Updating Agent Server Certificate:

  1. The previous Communication Certificate will be displayed in the Current Server Certificate Details for the duration specified in the Update Schedule.
  2. If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
  3. It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time as well.

Additional Information

  • The same certificate used for Agent/Server Communications can be used in IIS.
  • The new Agent Communication Certificate will automatically be added to the Trusted Certificates List, with the Trust status as Yes.
  • In order to remove Trust for the current Agent Communication Certificate, it must first be replaced.
  • There is no option to generate a Certificate Signing Request (CSR) within the Console. Work with the relevant Certificate Authority to obtain a CSR, if required.
  • Newly generated certificates can be found in the Local Certificate Manager of the application server.
  • The Edit button will be missing if Certificate Verification is enabled.
  • If the clock is off on the App Control server when regenerated a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated
  • Replacing the certificate may cause the Communication Certificate could cause temporary Console performance issues.
Powered by Wolken Software