Certificate import from a PFX file fails in the 8.11.2 console
search cancel

Certificate import from a PFX file fails in the 8.11.2 console

book

Article ID: 421321

calendar_today

Updated On:

Products

Carbon Black App Control

Issue/Introduction

  • Updating the server certificate in the 8.11.2 web console using a .PFX file fails to apply the new certificate.
  • If using the scheduled option, the same old certificate is displayed as both the current and pending certificate.
  • The Server Certificate does not change after importing new certificate but the new certificate does appear Trusted Communication Certificates.
  • The following messages may be displayed: 
    New certificate was successfully imported and applied. It will be applied in X minutes.
Error importing certificate: Certificate already exists.
  • Agents disconnect/offline after the previous certificate expires. 

Environment

  • App Control Server: 8.11.2

Cause

This issue is currently being investigated as part of engineering ticket CRE-22899

Resolution

  1. Log in to the App Control Server system
  2. Open the local machine cert store (Certlm.msc)
  3. Navigate to > Trusted People > Certificates > Verify that the new certificate is present
    • If not present > Import the Certificate using the .PFX file
  4. In the web console > go to System Configuration > Security tab > Scroll down to the "Trusted Communication Certificates" section > Verify the new certificate is present > Copy the thumbprint
    • If not present > Import the Certificate as DER encoded .CER file
  5. Go to > https://AppCServer/Shepherd_config.php > ShowAllProps > Set it to: true > Change > Navigate away from the page
  6. Reopen https://AppCServer/Shepherd_config.php > SSLCertificateThumbprint > Update the thumbprint value using the thumbprint of the new certificate
  7. Open the Services console (services.msc) > Restart the App Control Server service.

Additional Information

  • If the displayed message is "Error importing certificate: Could not import cert from temp file" - generate a new SSL certificate that includes a DNS entry matching the name of App Control as displayed in the web console (e.g. DNS=APPCSERVER.domain.com)
  • The PrevSSLCertificateThumbprint represents the old certificate that is being used while the SSLCertificateThumbprint represents the cert which will be used after swap. If PrevSSLCertificateThumbprint is null then the swap is complete, and SSLCertificateThumbprint may need to be modified manually using the resolution steps
Powered by Wolken Software