Loading...

Knowledge Center


Migration from SHA-1 to SHA-2 certificates is required after upgrading to ePolicy Orchestrator 5.9
Technical Articles ID:   KB87017
Last Modified:  6/11/2019
Rated:


Environment

McAfee ePolicy Orchestrator (ePO) 5.x

Problem

Browsers flag the ePO console as an unsecure HTTPS, even though the correct certificate is imported into the user certificate store.

Problem

A vulnerability scan flags ePO as using SHA-1, which is considered a weak hashing algorithm.

Cause

The SHA-1 algorithm has reached End of Life (EOL).

Many organizations are deprecating TLS/SSL certificates signed by the SHA-1 algorithm. Browsers such as Google Chrome and Microsoft Internet Explorer are dropping support for certificates using SHA-1 at various dates.

To learn more about SHA-1 support in some browsers, see:

Solution

CAUTION: Read all these instructions carefully before proceeding with the steps. Failure to wait for sufficient agent saturation in step 5 can result in large numbers of agents failing to communicate until the agent is reinstalled. This solution can only be performed on an ePO 5.9 server because Certificate Manager is a new feature introduced in ePO 5.9.

WARNING: If you are using ePO 5.9.1, the Agent Handler Certificate is not automatically regenerated after completing step 8. See KB90182 for more information, including remediation instructions.

To remediate vulnerabilities in your ePO environment, migrate your existing SHA-1 certificates to certificates that use the more secure SHA-2 algorithm. A fresh installation of ePO 5.9 installs the latest hash algorithm certificates.

If you upgrade ePO from an older version, migrate the SHA-1 certificates to SHA-2 certificates using the following steps:
  1. Log on to ePO console as an Administrator.
     
  2. Click Menu, ConfigurationCertificate Manager.

    NOTE: Certificate Manager page provides information about the installed Root Certificate, Agent Handler certificates, server certificates, and other certificates derived from the ePO root Certificate Authority (CA).
     
  3. Click Regenerate Certificate.
     
  4. Click OK to confirm the certificate generation.

    The ePO root CA, and other certificates derived from the root CA, are regenerated and stored in a temporary location on the server. The length of time required to generate the new certificates varies depending on the number of Agent Handlers and Extensions that derive certificates from the ePO root CA.
     
  5. Wait for sufficient saturation of the new certificates when certificate regeneration completes, BEFORE you continue. 

    As the agents communicate in on their normal agent-to-server communication interval, they are handed a new certificate which uses SHA-2.

    NOTE: You can view the certificate distribution percentage in the Product: Agent Handler section of the certificate manager to get information about how many agents have received the newly generated certificates and how many are pending. The distribution percentage is calculated based on the agent-server communication after the certificates are regenerated. This means that unmanaged clients or clients that are inactive affect the percentage.
     
    IMPORTANT: Ensure that the distribution percentage reaches as close to 100% as is possible, before you continue. Otherwise, the pending systems will not receive the newly generated certificates and will be unable to communicate with the ePO server after the certificates are activated. You can stay in this state for as long as is needed to achieve sufficient saturation.

    After clicking Activate Certificates, agents using the old certificates must be reinstalled to restore agent-to-server communication.
  1. Click Activate Certificates to carry out all future operations using the new certificates once you are satisfied with the saturation of the SHA-2 certificate in your environment.

    A backup of the original certificate is created.
     
  2. Click OK on the warning if you agree to reinstall the agent on any remaining agents that have not yet communicated and received the new certificate.
     
  3. Perform the following steps when the certificate activation is complete:
    1. Stop the Agent Handler services (including the Remote Agent Handler services).
    2. Restart the ePO services.
    3. Start the Agent Handler services.
       
  4. Monitor your environment and ensure that your agents are communicating successfully before finishing the migration.

    IMPORTANT: If you are using EPO 5.9.1, and your agents do not communicate, follow the instructions in KB90182.

    You can cancel the migration at this point to roll back the certificate and restore agent-to-server communication; but, this is not possible after you have completed the next step.
     
  5. Click Finish Migration to complete the certificate migration.

    The certificate backup taken during activation is deleted.
IMPORTANT: If you are using a Threat Intelligence Exchange (TIE) server, you must go through the migration steps in KB88491 after completing this step.

If you encounter any issues during the migration process, click Cancel Migration to revert to the previous certificates. If you cancel the migration, you must stop the Agent Handler services, restart the ePO services, and start the Agent Handler services again.

You can start the certificate migration again after resolving the issues.

Workaround

You can replace the server certificate used by ePO at the console logon screen with one signed by an internal CA or a public CA (such as GoDaddy or Verisign) to avoid this issue on any version of ePO 5.x. This process only replaces the console certificate, which is associated with port 8443 (by default), and used at the console logon page. It does not change the certificate used for agent-to-server communication, which is associated with port 443 (by default).

See KB72477 for instructions on generating a new console certificate using OpenSSL, or see the "SSL Certificates" section of the ePO 5.3 Product Guide (PD25504).

Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.