4.3 Replacing an External Server Certificate with a New External Server Certificate Issued by the Same Certificate Authority

Before replacing an external server certificate with a new external server certificate that is issued by the same certificate authority, take a reliable backup of the following on all Primary Servers in the Management Zone:

Create a certificate signing request (CSR) by providing the hostname of the Primary Server as the subject.

For more information on how to create a CSR, for Windows, see Creating an External Certificate and for Linux, see Creating an External Certificate.

At the console prompt of a Primary Server, run the following command:

zman sacert Path_of_the_Primary_Server_in_ZENworks_Control_Center Path_of_Primary_Server_Certificate

For more information about zman, view the zman man page (man zman) on the device or see zman(1) in the ZENworks 11 SP3 Command Line Utilities Reference.

This adds the certificate of the Primary Server that you specified in the command to the ZENworks database and certificate store.

Refresh all the devices, including the Primary Servers, in the zone.

The Primary Server certificates that were imported in Step 3 are sent to the devices as configuration data.

Enforce the new certificates on the zone by running the following command on any Primary Server:

novell-zenworks-configure -c SSL -Z

Follow the prompts.

Restart all the ZENworks services on all the Primary Servers in the zone by running the following command at the console prompt of each Primary Server in the zone:

novell-zenworks-configure -c Start

By default, all the services are selected. You must select Restart as the Action.

Ensure that DNS is properly configured for the Primary Servers, so that server host names get resolved. For DNS resolution requirements, see DNS Resolution in the ZENworks 11 SP3 System Requirements.

Run the following commands in the same sequence:

novell-zenworks-configure -Z -c MergeTruststore

novell-zenworks-configure -c EnableJMX

novell-zenworks-configure -c ZenProbe

Refresh all the devices, including the Primary Servers, in the zone.

(Conditional) If any device is not reachable during the refresh, you must first establish a connection with the device, then run the following command at the console prompt of each device to reestablish the trust between the device and the zone:

zac retr -u zone_administrator_username -p zone_administrator_password

Configure the Satellites with the new external certificates by entering the following command at the Satellite's prompt:

zac iac -pk private-key.der -c signed-server_certificate.der -ca signing-authority-public-certificate.der -ks keystore.jks -ksp keystore-pass-phrase -a signed-cert-alias -ks signed-cert-passphrase -u username -p password -rc

For more information about zac, view the zac man page (man zac) on the device or see the ZENworks 11 SP3 Command Line Utilities Reference.

Re-create all the default and custom deployment packages for all the Primary Servers:

(Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.

For more information about unprovisioning and provisioning Intel AMT devices, see Configuring Intel AMT Devices in Enterprise Mode in the ZENworks 11 SP3 Out-of-Band Management Reference.

(Conditional) If multizone is configured with the server whose certificate has got replaced as the Publisher, then update the new certificate of this server for all its Subscribers. Perform the following to update the new certificate: