4.2 Replacing an Internal Server Certificate with a New Internal Server Certificate

If the internal server certificate of your Windows or Linux Primary Server has expired or if the server certificate key pair has been compromised, you can choose to replace the certificate with a new internal server certificate.

  1. Before replacing an internal server certificate with a new internal server certificate, take a reliable backup of the following on all Primary Servers in the Management Zone:

  2. Enforce the new certificates on the zone by running the following command on any Primary Server whose DNS name is changed:

    novell-zenworks-configure -c SSL -Z

    Browse icon

    Follow the prompts. Do not remint the Certificate authority, just the server certificate.

    NOTE:If both the Server Certificate and Certificate Authority are expired, then select option 2 for reminting both Certificate Authority and Primary Server certificates.

  3. Restart all the ZENworks services on all the Primary Servers in the zone by running the following command at the console prompt of each Primary Server in the zone:

    novell-zenworks-configure -c Start

    By default, all the services are selected. You must select Restart as the Action.

  4. Refresh all the devices, including the Primary Servers, in the zone.

    If only one Primary Server certificate was changed, and if the CA certificate was not changed, and there is more than one Primary Server in the zone, refreshing the Server, Satellites, and managed devices will allow the agent to trust the new server certificate. Refreshes automatically on the next scheduled refresh.

    If the CA certificate was changed or if there is only one Primary Server in the zone then the Primary Servers, Satellites, and managed devices need to run zac retr to reestablish the trust.

    If any device is not reachable during the refresh, you must first establish a connection with the device, then run the following command at the console prompt of each device to reestablish the trust between the device and the zone:

    zac retr -u zone_administrator_username -p zone_administrator_password

  5. Configure the Authentication Satellites with the new certificates by entering the following command at the Satellite's prompt:

    On Windows: zac authentication server reconfigure (asr) -t all

    On Linux: zac remint-satellite-cert (rsc)

  6. Re-create all the default and custom deployment packages for all the Primary Servers:

    • Default Deployment Packages: At the console prompt of each Primary Server in the zone, enter the novell-zenworks-configure -c CreateExtractorPacks -Z command:

      Custom Deployment Packages: At the console prompt of each Primary Server in the zone, enter the novell-zenworks-configure -c RebuildCustomPacks -Z command

  7. (Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.

    For more information about unprovisioning and provisioning Intel AMT devices, see Configuring Intel AMT Devices in Enterprise Mode in the ZENworks 11 Out-of-Band Management Reference.

NOTE:Because ZENworks and ZENworks Reporting Server use the same certificate, the ZENworks Reporting Server Tomcat server must be configured when the ZENworks certificate is changed. For information on how to configure the ZENworks Reporting Server, see Section 4.5, Configuring the ZENworks Reporting Server Tomcat Server When the ZENworks Certificate Changes.