Replacing the NS Website certificate
search cancel

Replacing the NS Website certificate

book

Article ID: 281047

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Your NS Website certificate is about to expire. Based on this confirmation page, the new website certificate will also be distributed to agents.

Will agents be disconnected if new certificate is not distributed?  Also, will it work if replacing the website certificate by binding the new certificate from IIS Manager?

Environment

ITMS 8.x

Resolution

The usual way to replace certificates on the SMP Server can be found in the following KB article:

Steps to replace, renew, and revoke certificates in ITMS 8.x

A few other things to consider are:

1. Do not change certificates manually from IIS Manager for the Web Site where NS is running.
2. Follow supported way by using the "Certificate Management" page for certificate replacement as outlined in the following documentation:

Managing Certificates

When attempting to replace the existing certificate with a new one for the NS Web Site, it offers the "Select Certificate" dialog where you can import your new certificate.  The click "Import" and after importing the new certificate the thumbprint will appear in the "Select Certificate" dialog as seen here:

Then choose the new imported certificate and click the "OK" button.

Now you will see this message "Certificate replacement started".  This means that the previous certificate isn't replaced yet by the newly provided certificate for the NS Web Site as the old certificate is still being used until you click the "Finalize" button, then new certificate will be assigned for NS web site.  

NOTE: The warning message seen in the screenshot below shows the amount of managed client computers that have already installed this new certificate and that have not installed it yet.  If you were to click "Finalize" before all the machines have received the new certificate, the computers without this new certificate installed will loose their connection with the Notification Server via HTTPs.

From this page you can copy new imported certificate Thumbprint and go to "Computers having (or without) a Certificate" report to identify which computers do not have this certificate installed yet:

While the new certificate replacement isn't yet finalized on the "Certificate Management" page, the default "NS Communication" profile contains both the old certificate and the newly imported certificate:

You need to make sure that all required managed client computers received the latest policies and sent their own Basic Inventory to the Notification Server, then re-check the "Computers having (or without) a Certificate" report.  If you have comfirmed that all required computers have received the new certificate, then you can click the "Finalize" button on the "Certificate Management" page.  Once the "Finalize" button has been clicked the old certificate will be removed from Notification Server Communication profile and only the new certificate will be available there as well as in the NS Web Site in IIS Manager.

Powered by Wolken Software