logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Replace Server Certificate in Version 8.x and Higher

App Control: How to Replace Server Certificate in Version 8.x and Higher

Environment

  • App Control Console: All Supported Versions

Objective

To replace the App Control Server certificate used for Agent communication.

Resolution

If using a Self-signed Certificate:
  1. Login to the App Control Console > gear icon > System Configuration.
  2. From System Configuration tab: navigate to: Security > Current Server Certificate > Edit.
  3. Make any necessary updates (such as previous server name, "Valid For" period, etc)
  4. Click Generate.

If using a certificate issued by a Certificate Authority (CA):
  1. Obtain the new, unexpired CA issued certificate for the App Control Server.
  2. Login to the App Control Console > gear icon > System Configuration.
  3. From System Configuration tab: navigate to: Security > Import Server Certificate From PKCS12 File > Browse...
  4. Locate the certificate file, specify the Password and click Import.

After Updating Agent Server Certificate:
  1. If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
  2. It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time.

Additional Notes

  • The same certificate used for Agent/Server Communications can be used in IIS.
  • Newly generated certificates can be found on the local certificate manager of the application server server.
  • Warning message seen in App Control Console: Server certificate has expired. Agents will not be able to connect to the server
  • App Control uses an SSL certificate to verify agent to server communication.   This certificate is set (by default) to expire after two years, and needs to be regenerated
  • The Edit button will be missing if Certificate Verification is enabled. Refer to Related Content if it needs to be disabled
  • Please confirm there are no spaces in the "Department" field of the self-signed certificate, otherwise the new certificate will not generate and an error regarding the parameters will occur The existing certificate will also be invalidated upon error
  • If the clock is off on the App Control server when regenerated a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
CB_Support
Creation Date:
‎09-21-2018
Views:
8823
Contributors
logo