logo

Knowledge Base

Access official resources from Carbon Black experts

Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

App Control: How to Replace Server Certificate in Version 8.x and Higher

App Control: How to Replace Server Certificate in Version 8.x and Higher

Environment

  • App Control Console: All Supported Versions

Objective

To replace the App Control Server certificate used for Agent communication.

Resolution

If using a Self-signed Certificate:
  1. Login to the App Control Console > gear icon > System Configuration.
  2. From System Configuration tab: navigate to: Security > Current Server Certificate > Edit.
  3. Make any necessary updates (such as previous server name, "Valid For" period, etc)
  4. Click Generate.

If using a certificate issued by a Certificate Authority (CA):
  1. Obtain the new, unexpired CA issued certificate for the App Control Server.
  2. Login to the App Control Console > gear icon > System Configuration.
  3. From System Configuration tab: navigate to: Security > Import Server Certificate From PKCS12 File > Browse...
  4. Locate the certificate file, specify the Password and click Import.

After Updating Agent Server Certificate:
  1. The previous Communication Certificate will be displayed in the Current Server Certificate Details for 60 minutes.
  2. If using an alternate RDL verify the updated TrustedCertList.pem file is copied from \Parity Server\hostpkg\ accordingly.
  3. It is likely that the certificate bound to Port 443 in IIS is also expired and will need to be updated at this time.

Additional Notes

  • The same certificate used for Agent/Server Communications can be used in IIS.
  • The new Agent Communication Certificate will automatically be added to the Trusted Certificates List, with the Trust status as Yes. 
  • In order to remove Trust for the current Agent Communication Certificate, it must first be replaced.
  • There is no option to generate a Certificate Signing Request (CSR) within the Console. Work with the relevant Certificate Authority to obtain a CSR, if required.
  • Newly generated certificates can be found in the local certificate manager of the application server.
  • The Edit button will be missing if Certificate Verification is enabled. Refer to Related Content if it needs to be disabled
  • If the clock is off on the App Control server when regenerated a GetSslError[32] error may be seen and the clock may need to be fixed and cert regenerated

Related Content


Labels (1)
Labels:
Tags (2)
Was this article helpful? Yes No
100% helpful (2/2)
Article Information
Author:
CB_Support
Creation Date:
‎09-21-2018
Views:
11767
Contributors
logo