Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
joerockt Absent Member.
Absent Member.
3341 views

Expired SSL Cert

So we noticed the other day that remote control stopped working for all systems. Browsing through threads, I found that the issue may be a result of an expired ssl certificate. So I check the certs on our W2K3 server and sure enough, the zcmSignedSSL.cer had expired on March 4th. Then it all came back, March 4th was the day I did the install. I followed this doc to create the certs:

Cool Solutions: AppNote: Installing ZENworks 10 Configuration Management using External Certificates

So now the question is, how do I renew this cert? And is there a way to renew for more then an year?
Labels (2)
0 Likes
9 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Expired SSL Cert

joerockt,

>So now the question is, how do I renew this cert? And is there a way
>to renew for more then an year?


Normally I don't worry about "renew's" instead I just follow the same
process and gen a new certificate. The workstations should trust the new
cert and pick-up as before as long as the issuer (certificate chain) and
subject of the server certificate remains the same.

What Thirdparty Issuer are you using?

Or maybe you are talking about how to get the certificate into the system
once you have a signed certificate?

--
Jared Jennings
Senior Systems Engineer, Computer Integrated Services (CIS)
http://www.ciscony.com

My Blog and Wiki with Tips, Tricks, and Tutorials
http://jaredjennings.org
Twitter@ jaredljennings
0 Likes
joerockt Absent Member.
Absent Member.

Re: Expired SSL Cert

I'm using OpenSSL. So do I need to revoke the license that's currently expired and generate a new one? How do I add the new cert into the system?
0 Likes
joerockt Absent Member.
Absent Member.

Re: Expired SSL Cert

Really could use an answer here. Dead in the water with Remote Management. And now my policies are not updating for some reason as well. I tried using the password method of remote control, but nothing is applying to workstations (Yes, I did increment the version).

Anytime I refresh the agent I get this:

[Settings Module] [] [Settings could not be refreshed on the device. Service Manager returned null on a call to enumerate services.] [] []
0 Likes
joerockt Absent Member.
Absent Member.

Re: Expired SSL Cert

Jared, in your doc above, you mentioned that once the files are created, the install will ask for these files:


The final three files are:

1.c:\SSL\zcmPrivate_key.der
2.c:\SSL\zcmSignedSSL.cer
3.c:\SSL\CA.cer

During the ZCM install, after selecting "External CA" Specify the Signed SSL Certificate and the Private Certificate.


On the following page of the install, specify the CA certificate "c:\ssl\CA.cer", which, remember, is also the ROOT certificate.



So how do I update these files now that I've generated a new cert?
0 Likes
joerockt Absent Member.
Absent Member.

Re: Expired SSL Cert

So I found this thread that give a command line option to update the cert:

How to change the DNS server name of your Primary ZCM server

Specifically: novell-zenworks-configure -c SSL -Z

Unfortunately, 2 issues:

The new cert doesn't match the old one, so on my test workstation, I had to do the following (also contained in the link above):

# Run the following command to force the device to be unregistered locally:
zac unr -f
You will be asked for a username and password - this is either the Administrator created by default or Administrator equivalent. Alternatively you can provide one in the command:
zac -unr -f -u administrator -p password
(Useful for login scripts, batch files, etc)

# Clear the cache.
On Windows: Run the following command:
del c:\program files\novell\zenworks\cache\zmd /s
On Linux: Run the following command:
rm -rf /var/opt/novell/zenworks/zmd/cache

# Run the following command to register the device in the Management Zone:
zac reg https://ZENworks_Server_DNS_name
Again you will need to provide the password. You will also need to specify the port if you are not using 443.
zac reg https://ZENworks_Server_DNS_name:444 -u Administrator -p password
(Useful for login scripts, batch files, etc)

This replaces the server certificate in the local cache.


The second issue is that the cert is still only valid for 1 year. Does anyone know how to extend this?
0 Likes
joerockt Absent Member.
Absent Member.

Re: Expired SSL Cert

So unless someone has an answer here, ZCM is completely worthless to me. Its bad enough I have to re register workstations, but to do it once a year is insane.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Expired SSL Cert

Best to ask in the OpenSSL Forum for about making certs longer than a
year using OpenSSL.

ZCM's Certificate server are 10 years.

I don't think you really want to be using external cert's w/o a really
good reason.

On 3/29/2011 5:06 PM, joerockt wrote:
>
> So unless someone has an answer here, ZCM is completely worthless to me.
> Its bad enough I have to re register workstations, but to do it once a
> year is insane.
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
joerockt Absent Member.
Absent Member.

Re: Expired SSL Cert

Ok, then maybe I've misunderstood something here. Are you saying that I should have installed with internal certificates? If so, how can I reverse this without having to reinstall ZCM?


craig_wilson;2090924 wrote:
Best to ask in the OpenSSL Forum for about making certs longer than a
year using OpenSSL.

ZCM's Certificate server are 10 years.

I don't think you really want to be using external cert's w/o a really
good reason.

On 3/29/2011 5:06 PM, joerockt wrote:
>
> So unless someone has an answer here, ZCM is completely worthless to me.
> Its bad enough I have to re register workstations, but to do it once a
> year is insane.
>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Expired SSL Cert

Running "novell-zenworks-configure -c SSL -Z" and simply hitting "enter"
when it asks for a cert should build a new cert and make that server the CA.

I've used this process when customers have lost their CA w/o a backup.

There is nothing "wrong" with an External CA, but there generally needs
to be a reason to do so w/o adding much value. I'm not saying there is
never value, but the vast majority of installs use the internal CA with ZCM.



On 3/30/2011 1:06 PM, joerockt wrote:
>
> Ok, then maybe I've misunderstood something here. Are you saying that I
> should have installed with internal certificates? If so, how can I
> reverse this without having to reinstall ZCM?
>
>
> craig_wilson;2090924 Wrote:
>> Best to ask in the OpenSSL Forum for about making certs longer than a
>> year using OpenSSL.
>>
>> ZCM's Certificate server are 10 years.
>>
>> I don't think you really want to be using external cert's w/o a really
>> good reason.
>>
>> On 3/29/2011 5:06 PM, joerockt wrote:
>>>
>>> So unless someone has an answer here, ZCM is completely worthless to

>> me.
>>> Its bad enough I have to re register workstations, but to do it once

>> a
>>> year is insane.
>>>
>>>

>>
>>
>> --
>> Craig Wilson - MCNE, MCSE, CCNA
>> Novell Knowledge Partner
>>
>> Novell does not officially monitor these forums.
>>
>> Suggestions/Opinions/Statements made by me are solely my own.
>> These thoughts may not be shared by either Novell or any rational
>> human.

>
>



--
Craig Wilson - MCNE, MCSE, CCNA
Novell Knowledge Partner

Novell does not officially monitor these forums.

Suggestions/Opinions/Statements made by me are solely my own.
These thoughts may not be shared by either Novell or any rational human.
--
Please give a hearty thumbs up to any post you find helpful!
To find articles by Craig Wilson simply follow the link: Craig Wilson's Tips!
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.