How to replace the certificate used by ESM
10313
Created On 03/04/19 09:21 AM - Last Modified 02/19/20 16:32 PM
Objective
This article is to show you how to replace the certificate bound with ESM services for both ESM console and cores without reinstallation.
Environment
This article applies to when you would like to replace the current using certificate of ESM Console and Core, like certificate renewal, URL change.
Procedure
Please make sure you have following ready:
- The new certificate with its private key bundle.
- Administrator privilege access to all ESM servers.
- The new certificate should be signed by a CA that is trusted by all client agent machines.(Otherwise, you may lose agents' connections after replacing)
Import the new certificate&key bundle to the system's computer account certificate store. Do it on all ESM servers.
1. Launch MMC (mmc.exe).
2. Choose File -> Add/Remove Snap-ins.
3. Choose Certificates, then choose Add.
4. Choose Computer account, Click on Next.
5. Select Local computer, Click on Finish, OK.
6. Expand Certificates->Personal->Certificates. You will see several existing certificate including currently using one.
7. Right-click on Certificate, select All Tasks, click on import.
8. Follow the Import Wizard to import the new certificate&key bundle.
9. You may want to specify the Friendly Name filed of the imported certificate by right click on the newly imported certificate and click on properties. (So that you can easily find it in IIS management tool later)
10. Take a note on the Thumbprint of the new certificate by double click opening it.
Change the certificate binding for the ESM console server.
11. Launch IIS Manager, expand to Default Web Site.
12. Click on Bindings... From Actions box on the right.
13. Edit the https bindings. Change the SSL certificate to the new one.(you can see the friendly name you set in step 9). Click on OK, close.
14. Now you can visit your ESM console to check if the certificate is changed.
Change the binding for ESM Core server, service port 2125.
15. Run cmd.exe as administrator. Checking the current certificate binding with the command below. Note that the Certificate Hash indicates the Thumbprint of the certificate. You may notice the one for port 443 has changed since we have changed binding from IIS.
>netsh http show sslcert
16. Use the command below to delete the current certificate binding for port 2125.
>netsh http delete sslcert ipport=0.0.0.0:2125
17. Use command below to add new binding with new certificate. Replace CERTIFICATE_HASH_HERE with actual new certificate hash.(you can either copy hash for port 443 or the note you made in step 10. No space in the string)
> netsh http add sslcert ipport=0.0.0.0:2125 certhash=CERTIFICATE_HASH_HERE appid={935e55e3-8b9d-4b95-954c-423626f887f9} clientcertnegotiation=enable
18. Now you can go to an agent to perform a check in to verify if the connection is fine.