36.0 Reconfiguring a Zone Certificate After It Expires

ZENworks prompts you to change your ZENworks zone certificate 90 days before the expiration of the certificate. The following warning message is displayed for each administrator once every 24 hours when the administrator logs in to ZENworks Control Center:

The certificate on hostname_of_the_device will expire in number_of_days days.

The message is displayed for every server and zone whose certificate is about to expire.

If you do not change your zone certificate before it expires, the communication between Primary Servers and managed devices breaks down, and the managed devices fail to receive new assignments and policies. To reestablish the communication, you have to re-create the certificate. ZENworks allows you to re-create the certificates in the following scenarios:

  • Changing the zone certificate from internal to external

  • Replacing an internal server certificate with a new internal server certificate

  • Replacing an external server certificate with a new external server certificate issued by the same certificate authority

  • Replacing an external server certificate with a new external server certificate issued by a different certificate authority

You use the same procedure to re-create the certificates in all the scenarios.

The information provided in this section is applicable for Windows and Linux platforms.

IMPORTANT:ZENworks 11 currently does not support changing the external certificate to an internal certificate on Primary Servers.

To replace a zone certificate after it expires:

  1. Before replacing an internal server certificate with a new internal server certificate, take a reliable backup of the following on all the Primary Servers in the Management Zone:

    • Content-Repo Directory: The content-repo directory is located by default in the ZENworks_installation_directory\work directory on Windows and in the /var/opt/novell/zenworks/ on Linux.

      Ensure that the images directory located within the content-repo directory has been successfully backed up.

    • Certificate Authority: For detailed information on how to back up the certificate authority, see Section 32.3, Backing Up the Certificate Authority.

    • Embedded Database: For detailed information on how to back up the embedded database, see Section 29.3, Backing Up the Embedded Sybase SQL Anywhere Database.

  2. Reconfigure the certificate on the Primary Server whose certificate has expired by entering the following command at the server’s command prompt:

    novell-zenworks-configure -c SSL -Z

    Follow the prompts.

  3. Restart all the ZENworks services by running the following command:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  4. Reestablish the certificate trust on all the devices registered to the Primary Server whose certificate has expired by running the following command on all such devices, including the Primary Server:

    zac retr -u zone_administrator_username -p zone_administrator_password

    For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 11 Command Line Utilities Reference.

  5. (Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.

    For more information about unprovisioning and provisioning Intel AMT devices, see Configuring Intel AMT Devices in Enterprise Mode in the ZENworks 11 Out-of-Band Management Reference.