Replace the Server Certificate
search cancel

Replace the Server Certificate

book

Article ID: 286687

calendar_today

Updated On:

Products

Carbon Black App Control (formerly Cb Protection)

Issue/Introduction

Steps to replace or update the Server certificate used for Agent communication.

Environment

  • App Control Console: All Supported Versions

Resolution

Please Note Prior To Replacing The Communication Certificate:
  • Server 8.9.4 and higher includes a Certificate Delay Swap feature which will show the old Communication Certificate for a period of time before swapping the new one.
  • Server 8.10.2 includes several Communication Certificate enhancements.
  • Server 8.10.2 also includes an Update Schedule option. It is recommended to use the expiration date of the current certificate.
  • The Update Schedule chosen will determine the Certificate Delay Swap.
  • Replacing the Communication Certificate could cause temporary Console performance issues under certain circumstances.



If using a Self-signed Certificate:

  1. Log in to the App Control Console > gear icon > System Configuration.
  2. From System Configuration tab: navigate to: Security > Current Server Certificate > Edit.
  3. Make any necessary updates (such as previous server name, "Valid For" period, etc)
  4. Click Generate.


If using a certificate issued by a Certificate Authority (CA):

  1. Obtain the new, unexpired CA issued certificate for the Server.
  2. Log in to the App Control Console and navigate to: Settings > System Configuration > Security.
  3. In the section: Import Server Certificate From PKCS12 File > click Browse...
  4. Locate the certificate file and specify the Password.
    • If on Server 8.10.2+ specify the relevant Certificate Update Schedule
  5. Click Import.


After Updating Agent Server Certificate:

  1. The previous Communication Certificate will be displayed in the Current Server Certificate Details for the duration specified in the Update Schedule.
  2. If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
  3. It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time as well.

Additional Information

  • The same certificate used for Agent/Server Communications can be used in IIS.
  • A PFX or PKCS#12 Certificate File is required when uploading, as the App Control Server will require all elements of the Chain of Trust for the Certificate.
  • There is no option to generate a Certificate Signing Request (CSR) within the Console. Work with the relevant Certificate Authority to obtain a CSR, if required.
  • The new Agent Communication Certificate will automatically be added to the Trusted Certificates List, with the Trust status as Yes.
  • In order to remove Trust for the current Agent Communication Certificate, it must first be replaced.
  • Newly generated certificates can be found in the Local Certificate Manager of the application server.
  • If the clock is off on the App Control server when regenerated a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated