Version
7.2.1

Issue
XPe no longer connect to the server after upgrading to 7.2.1

Symptoms
Connection tests to server pass.

Trace.bt9 shows the following error:

Server Communication: WaitForResponse End: m_bIsSleeping[0] IsSleeping[0] GetHttpStatus[0] GetWinHttpError[2] GetSslError[-2147483648] DataAvailable[0]

Server Communication: WaitForResponse: WAIT_OBJECT_DATA_AVAILABLE_EVENT

Server Communication: WinHTTP communication error: 12175

Cause
Windows XPe is unable to accept the SHA256 algorithm of the new certificates. There are security concerns with the SHA1 algorithm that XPe accepts.

Solution
A new server certificate using SHA1 will need to be created manually. To do this, perform the following:

1) Obtain a copy of the Microsoft Windows SDK on the Bit9 Server (Windows version specific)

2) Install only the .NET Development Tools

3) Copy the "makecert.exe" and "pvk2pfx.exe" from c:\Program Files (x86)\Windows Kits\*\bin\x64 and place them in new folder. (* OS version)

4) Create a self-signed certificate as follows – create the cert

a. makecert -n "CN=<Bit9 Server FQDN>,E=<Admin Email Address>,OU=<Org Dept>,O=<Company Name>,L=<City>,S=<State>,C=<CountryCode>" -pe -a sha1 -cy authority -r -sky exchange -eku 1.3.6.1.5.5.7.3.1 -sv B9srv-new.pvk -sr LocalMachine -ss Root B9srv-new.cer

b. You will be prompted for passwords to protect the keys and cert – recommend using the same one for each

5) Convert it to a PKCS12 format (.PFX):

pvk2pfx.exe -pvk B9srv-new.pvk -spc B9srv-new.cer -pfx B9srv-new.pfx -po <password>

Note: -po creates password, it is recommended to use the same as step 4.

6) Install the certificate into the Bit9 server via the console (Administration -> System Configuration -> Security ->Import Server Certificate from PKCS12 file), then select the newly created .PFX file.