How to replace the certificate used by ESM

How to replace the certificate used by ESM

10184
Created On 03/04/19 09:21 AM - Last Modified 02/19/20 16:32 PM


Objective


This article is to show you how to replace the certificate bound with ESM services for both ESM console and cores without reinstallation.

Environment


This article applies to when you would like to replace the current using certificate of ESM Console and Core, like certificate renewal, URL change.

Procedure


Please make sure you have following ready:

  1. The new certificate with its private key bundle.
  2. Administrator privilege access to all ESM servers.
  3. The new certificate should be signed by a CA that is trusted by all client agent machines.(Otherwise, you may lose agents' connections after replacing)



Import the new certificate&key bundle to the system's computer account certificate store. Do it on all ESM servers.


1. Launch MMC (mmc.exe).
2. Choose File -> Add/Remove Snap-ins.
3. Choose Certificates, then choose Add.
4. Choose Computer account, Click on Next.
5. Select Local computer, Click on Finish, OK.
6. Expand Certificates->Personal->Certificates. You will see several existing certificate including currently using one.
User-added image

7. Right-click on Certificate, select All Tasks, click on import.
User-added image

8. Follow the Import Wizard to import the new certificate&key bundle.
9. You may want to specify the Friendly Name filed of the imported certificate by right click on the newly imported certificate and click on properties. (So that you can easily find it in IIS management tool later)
User-added image

10. Take a note on the Thumbprint of the new certificate by double click opening it.
User-added image


Change the certificate binding for the ESM console server.


11. Launch IIS Manager, expand to Default Web Site.
User-added image

12. Click on Bindings... From Actions box on the right.
13. Edit the https bindings. Change the SSL certificate to the new one.(you can see the friendly name you set in step 9). Click on OK, close.
User-added image

14. Now you can visit your ESM console to check if the certificate is changed.
User-added image


Change the binding for ESM Core server, service port 2125.


15. Run cmd.exe as administrator. Checking the current certificate binding with the command below. Note that the Certificate Hash indicates the Thumbprint of the certificate. You may notice the one for port 443 has changed since we have changed binding from IIS.
>netsh http show sslcert
User-added image

16. Use the command below to delete the current certificate binding for port 2125.
>netsh http delete sslcert ipport=0.0.0.0:2125
User-added image

17. Use command below to add new binding with new certificate. ReplaceĀ CERTIFICATE_HASH_HEREĀ with actual new certificate hash.(you can either copy hash for port 443 or the note you made in step 10. No space in the string)
> netsh http add sslcert ipport=0.0.0.0:2125 certhash=CERTIFICATE_HASH_HERE appid={935e55e3-8b9d-4b95-954c-423626f887f9} clientcertnegotiation=enable
User-added image

18. Now you can go to an agent to perform a check in to verify if the connection is fine.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boG9CAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail