4.4 Replacing an External Server Certificate with a New External Server Certificate Issued by a Different Certificate Authority

  1. If you want to change your zone certificate authority, take a reliable backup of the following on all Primary Servers in the Management Zone:

  2. Create a server certificate by using the new certificate authority for each Primary Server in the zone by providing the fully qualified DNS (FQDN) of the Primary Server as the subject.

    For more information on how to create a CSR, see Creating an External Certificate in the ZENworks 11 Server Installation Guide.

  3. At the console prompt of a Primary Server, run the following command:

    zman sacert Path_of_the_Primary_Server_in_ZENworks_Control_Center Path_of_Primary_Server_Certificate

    For more information about zman, view the zman man page (man zman) on the device or see zman(1) in the ZENworks 11 Command Line Utilities Reference.

    This adds the certificate of the Primary Server that you specified in the command to the ZENworks database and certificate store.

    NOTE:You must run the command for each Primary Server whose certificate you want to replace.

  4. Refresh all the devices, including the Primary Servers, in the zone.

    The Primary Server certificates that were imported in Step 3 are sent to the devices as configuration data.

  5. Import the root certificate of the new certificate authority into the trusted store on all the devices in the zone through the zac cert-info command. You can choose to execute the command in one of the following ways:

  6. Enforce the new certificates on the zone by running the following command on any Primary Server whose DNS name is changed:

    novell-zenworks-configure -c SSL -Z

    Follow the prompts.

  7. Restart all the ZENworks services on all the Primary Servers in the zone by running the following command at the console prompt of each Primary Server in the zone:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  8. Refresh all the devices, including the Primary Servers, in the zone.

    If any device is not reachable during the refresh, you must first establish a connection with the device, then run the following command at the console prompt of each device to reestablish the trust between the device and the zone:

    zac retr -u zone_administrator_username -p zone_administrator_password

  9. Configure the Satellites with the new external certificates by entering the following command at the Satellite's prompt:

    zac iac -pk private-key.der -c signed-server_certificate.der -ca signing-authority-public-certificate.der -ks keystore.jks -ksp keystore-pass-phrase -a signed-cert-alias -ks signed-cert-passphrase -u username -p password -rc

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 11 Command Line Utilities Reference.

  10. Re-create all the default and custom deployment packages for all the Primary Servers:

    • Default Deployment Packages: At the console prompt of each Primary Server in the zone, enter the following command:

      novell-zenworks-configure -c CreateExtractorPacks -Z

    • Custom Deployment Packages: At the console prompt of each Primary Server in the zone, enter the following command:

      novell-zenworks- configure -c RebuildCustomPacks -Z

  11. (Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.

    For more information about unprovisioning and provisioning Intel AMT devices, see Configuring Intel AMT Devices in Enterprise Mode in the ZENworks 11 Out-of-Band Management Reference.

NOTE:Because ZENworks and ZENworks Reporting Server use the same certificate, the ZENworks Reporting Server Tomcat server must be configured when the ZENworks certificate is changed. For information on how to configure the ZENworks Reporting Server, see Section 4.5, Configuring the ZENworks Reporting Server Tomcat Server When the ZENworks Certificate Changes.