35.2 Replacing an Internal Server Certificate with a New Internal Server Certificate

If the internal server certificate of your Windows or Linux Primary Server has expired or if the server certificate key pair has been compromised, you can choose to replace the certificate with a new internal server certificate.

  1. Before replacing an internal server certificate with a new internal server certificate, take a reliable backup of the following on all Primary Servers in the Management Zone:

    • Content-Repo Directory: The content-repo directory is located by default in the ZENworks_installation_directory\work directory on Windows and in the /var/opt/novell/zenworks/ on Linux.

      Ensure that the images directory located within the content-repo directory has been successfully backed up.

    • Certificate Authority: For detailed information on how to back up the certificate authority, see Section 32.3, Backing Up the Certificate Authority.

    • Embedded Database: For detailed information on how to back up the embedded database, see Section 29.3, Backing Up the Embedded Sybase SQL Anywhere Database.

  2. Reconfigure the certificate on the Primary Server whose certificate has expired by entering the following command at the server’s command prompt:

    novell-zenworks-configure -c SSL -Z

    Follow the prompts.

  3. Restart all the ZENworks services by running the following command:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  4. Reestablish the certificate trust on all the devices registered to the Primary Server whose certificate has expired by running the following command on all of the devices:

    zac retr -u zone_administrator_username -p zone_administrator_password

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 11 Command Line Utilities Reference.

  5. (Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.

    For more information about unprovisioning and provisioning Intel AMT devices, see Configuring Intel AMT Devices in Enterprise Mode in the ZENworks 11 Out-of-Band Management Reference.

NOTE:Because ZENworks and ZENworks Reporting Server use the same certificate, the ZENworks Reporting Server Tomcat server must be configured when the ZENworks certificate is changed. For information on how to configure the ZENworks Reporting Server, see Section 35.5, Configuring the ZENworks Reporting Server Tomcat Server When the ZENworks Certificate Changes.