Knowledge Center

Migration from SHA-1 to SHA-2 certificates is required after upgrading to ePolicy Orchestrator 5.9
Technical Articles ID:   KB87017
Last Modified:  7/1/2019


McAfee ePolicy Orchestrator (ePO) 5.x


Browsers flag the ePO console as an unsecure HTTPS, even though the correct certificate is imported into the user certificate store.


A vulnerability scan, flags ePO as using SHA-1, which is considered a weak hashing algorithm.


The SHA-1 algorithm has reached end of life (EOL).

Many organizations are deprecating TLS/SSL certificates signed by the SHA-1 algorithm. Browsers such as Google Chrome and Microsoft Internet Explorer are ending support for certificates using SHA-1.

To learn more about SHA-1 support in some browsers, see:


CAUTION: Read all these instructions carefully before you proceed with the steps. Failure to wait for sufficient agent saturation in step 5 can result in large numbers of agents failing to communicate until the agent is reinstalled. This solution can only be performed on an ePO 5.9 server because Certificate Manager is a new feature introduced in ePO 5.9.

WARNING: If you use ePO 5.9.1, the Agent Handler Certificate is not automatically regenerated after completing step 8. See KB90182 for more information, and remediation instructions.

To remediate vulnerabilities in your ePO environment, migrate your existing SHA-1 certificates to certificates that use the more secure SHA-2 algorithm. A fresh installation of ePO 5.9 installs the latest hash algorithm certificates.

If you upgrade ePO from an older version, migrate the SHA-1 certificates to SHA-2 certificates using the following steps:
  1. Log on to ePO console as an Administrator.
  2. Click Menu, ConfigurationCertificate Manager.

    NOTE: Certificate Manager page provides information about the installed Root Certificate, Agent Handler certificates, server certificates, and other certificates derived from the ePO root Certificate Authority (CA).
  3. Click Regenerate Certificate.
  4. To confirm the certificate generation, click OK.

    The ePO root CA, and other certificates derived from the root CA, are regenerated and stored in a temporary location on the server. The time needed to generate the new certificates varies depending on the number of Agent Handlers and Extensions that derive certificates from the ePO root CA.
  5. Wait for sufficient saturation of the new certificates when certificate regeneration completes, BEFORE you continue. 

    As the agents communicate in on their normal agent-to-server communication interval, they are handed a new certificate which uses SHA-2.

    NOTE: You can view the certificate distribution percentage in the Product: Agent Handler section of the certificate manager to get information about how many agents have received the newly generated certificates and how many are pending. The distribution percentage is calculated based on the agent-server communication after the certificates are regenerated. This design means that unmanaged clients or clients that are inactive, affect the percentage.
    IMPORTANT: Before you continue, make sure that the distribution percentage reaches as close to 100% as is possible. Otherwise, the pending systems will not receive the newly generated certificates and will be unable to communicate with the ePO server after the certificates are activated. You can stay in this state for as long as is needed to achieve sufficient saturation.

    After you click Activate Certificates, the agents that use the old certificates must be reinstalled to restore agent-to-server communication.
  1. Click Activate Certificates to carry out all future operations using the new certificates after you are satisfied with the saturation of the SHA-2 certificate in your environment.

    A backup of the original certificate is created.
  2. Click OK on the warning if you agree to reinstall the agent on any remaining agents that have not yet communicated and received the new certificate.
  3. Perform the following steps after the certificate activation is complete:
    1. Stop the Agent Handler services (including the Remote Agent Handler services).
    2. Restart the ePO services.
    3. Start the Agent Handler services.
  4. Monitor your environment and make sure that your agents communitcate successfully before you finish the migration.

    IMPORTANT: If you are using EPO 5.9.1, and your agents do not communicate, follow the instructions in KB90182.

    You can cancel the migration at this point to roll back the certificate and restore agent-to-server communication; but, this action is not possible after you have completed the next step.
  5. Click Finish Migration to complete the certificate migration.

    The certificate backup created during activation is deleted.
IMPORTANT: If you are using a Threat Intelligence Exchange (TIE) server, you must go through the migration steps in KB88491 after completing this step.

If you encounter any issues during the migration process, click Cancel Migration to revert to the previous certificates. If you cancel the migration, you must stop the Agent Handler services, restart the ePO services, and start the Agent Handler services again.

You can start the certificate migration again after you resolve the issues.


You can replace the server certificate used by ePO at the console logon screen with one signed by an internal CA or a public CA (such as GoDaddy or Verisign). This action avoids the issue on any version of ePO 5.x. This process only replaces the console certificate, which is associated with port 8443 (by default), and used at the console logon page. It does not change the certificate used for agent-to-server communication, which is associated with port 443 (by default).

See KB72477 for instructions on generating a new console certificate using OpenSSL.

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms

 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.