4.2 Replacing an Internal Server Certificate with a New Internal Server Certificate

If the internal server certificate of your Windows or Linux Primary Server has expired or if the server certificate key pair has been compromised, you can choose to replace the certificate with a new internal server certificate.

  1. Before replacing an internal server certificate with a new internal server certificate, take a reliable backup of the following on all Primary Servers in the Management Zone:

  2. Enforce the new certificates on the zone by running the following command on the Primary Server with CA role:

    novell-zenworks-configure -c SSL -Z

    Browse icon

    Follow the prompts.


    • If only the Server Certificate is expired, then select option 1 for reminting just the server certificate.

    • If both the Server Certificate and Certificate Authority are expired, then select option 2 for reminting both Certificate Authority and Primary Server certificates.

  3. Restart all the ZENworks services on all the Primary Servers in the zone by running the following command at the console prompt of each Primary Server in the zone:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  4. Ensure that DNS is properly configured for the Primary Servers, so that server host names get resolved. For DNS resolution requirements, see DNS Resolution in the ZENworks 11 SP3 System Requirements.

    Run the following commands in the same sequence:

    novell-zenworks-configure -Z -c MergeTruststore

    novell-zenworks-configure -c EnableJMX

    novell-zenworks-configure -c ZenProbe

  5. Refresh all the devices, including the Primary Servers, in the zone.

    If only one Primary Server certificate was changed, and if the CA certificate was not changed, and there is more than one Primary Server in the zone, refreshing the Server, Satellites, and managed devices will allow the agent to trust the new server certificate. Refreshes automatically on the next scheduled refresh.

    If the CA certificate was changed or if there is only one Primary Server in the zone then the Primary Servers, Satellites, and managed devices need to run zac retr to reestablish the trust.

    If any device is not reachable during the refresh, you must first establish a connection with the device, then run the following command at the console prompt of each device to reestablish the trust between the device and the zone:

    zac retr -u zone_administrator_username -p zone_administrator_password

  6. Configure the Authentication Satellites with the new certificates by entering the following command at the Satellite's prompt:

    On Windows: zac authentication server reconfigure (asr) -t all

    On Linux: zac remint-satellite-cert (rsc)

  7. Re-create all the default and custom deployment packages for all the Primary Servers:

    • Default Deployment Packages: At the console prompt of each Primary Server in the zone, enter the novell-zenworks-configure -c CreateExtractorPacks -Z command:

      Custom Deployment Packages: At the console prompt of each Primary Server in the zone, enter the novell-zenworks- configure -c RebuildCustomPacks -Z command

  8. (Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.

    For more information about unprovisioning and provisioning Intel AMT devices, see Configuring Intel AMT Devices in Enterprise Mode in the ZENworks 11 SP3 Out-of-Band Management Reference.

  9. (Conditional) If multizone is configured with the server whose certificate has got replaced as the Publisher, then update the new certificate of this server for all its Subscribers. Perform the following to update the new certificate:

    1. Log in to ZENworks Control Center (ZCC) of subscribers.

    2. Navigate to Subscribe And Share > Subscriptions > <subscription_name> > Remote Server > Update Certificate.

    3. Update the certificate.

NOTE:Because ZENworks and ZENworks Reporting does not use the same certificate, the ZENworks Reporting does not require any configuration changes if the ZENworks certificate is changed. However, if you want to replace the certificate of ZENworks Reporting with the new certificate, you must run ZENworks Reporting Configuration Tool.

For more information, see ZENworks Reporting Configuration Tool in the ZENworks Reporting 5 System Reference.