Regenerate the certificates used by the ePO server service

Before you proceed reading this article about how to regenerate the certificate used by the ePO server service?  We should know little about McAfee Certificate Error. 

McAfee Certificate Error is an ePO-based error that is regarded as the most advanced and leading security management software. The following unexpected McAfee Certificate Error appears at the top of the browser when you open the ePO console remotely. When you right-click on the error and choose View Certificate, you'll see a wrong certificate. This error occurs when an old certificate is no longer a user, the Server Certificate is updated, and the certificate is used for ePO browser authentication.

What is ePO?

The ePO server certificates are created during the installation of ePO or another Agent Handler. The certificates are issued by self-signed certificates owned by the ePO Application Server service. During the ePO installation also self-signed certificates are created.

This article describes the certificates used by the ePO server service, as well as how to re-generate them if necessary.

Certificates are used by the ePO server service to secure communications for the following:

     Client computer communications with McAfee Agent

     Communication with the ePO Application Server service on an internal level.

Note: These certificates cannot be replaced with certificates issued by another certificate authority.

The certificates are kept in a folder called ssl.crt. The following are the default locations:

Component

Path

ePO Server

C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt

Agent Handler

64-bit operating system

C:\Program Files (x86)\McAfee\Agent Handler\Apache2\conf\ssl.crt

Agent Handler

32-bit operating system

C:\Program Files\McAfee\Agent Handler\Apache2\conf\ssl.crt

Note: If you chose a non-default path during installation, the paths are different.

List of files that folder contains

 

      ahCert.crt

      ahpriv.key

      mfscabundle.cer

      pkcs12store.pfx

      pkcs12store.properties

 

You might need the path to re-create or regenerate these certificates in some circumstances. If ePO is being restored as part of the manual disaster recovery process described in KB66616, for example.

How to Generate the Certificate?

 1.   Stop the ePO Server service first.

a.   Hold and press down the Windows key + R key at the same time.

b.   Type services.msc into the field provided and press Enter.

c.   Stop the following ePO service by right-clicking it and selecting Stop

d.   McAfee ePolicy Orchestrator #.#.#  Server

e.   Now closed the service window.

2.  Ascertain that the McAfee ePolicy Orchestrator Application Server service is up and running.

3.  Check that you can access the ePolicy Orchestrator console using the following credentials:

a.     In the URL, the NetBIOS name of the McAfee ePO server An account that is an ePO administrator and uses ePO authentication (not Windows authentication) 

This account will be used to regenerate the certificates later.


 

Note: The certificate regeneration process fails if the administrator user name or password contains certain characters. Despite the fact that they are valid when accessing the ePO console. McAfee recommends changing the password to a simple alphanumeric password for the time being. Alternatively, create a new temporary administrator user with a simple password to use while the certificate is being renewed. 

After that, you can either change the password or remove the temporary administrator user.

4.  The ssl.crt folder must exist and be empty for the regeneration process to work. In the ePO or Agent Handler instal folder, look for the Apache2conf folder.

5.  Rename any existing ssl.crt folders to ssl.crt.old.

6.  Make a folder called ssl.crt and rename it.

7.  Start by typing cmd into the search box, then right-clicking and selecting Run as administrator.

8.  To get to your ePO installation folder, change directories. The default paths are listed in the section above titled "Introduction."

9.  Now Run the following command: 

Rundll32.exe ahsetup.dll RunDllGenCerts <ePO_server_name> <console_HTTPS_port> <admin_username> <password> <"installdir\Apache2\conf\ssl.crt">

Where:

      <ePO_server_name> - The ePO server NetBIOS name

      <console_HTTPS_port> - The ePO console port (default is 8443)

      <admin_username> - The ePO administrator account (see step 3)

      <password> - The password for the ePO administrator account (see step 3)

      <installdir\Apache2\conf\ssl.crt> - The full path to the empty ssl.crt folder (see step 4). Make sure that you enclose this path in double quotes.

Example:

Rundll32.exe ahsetup.dll RunDllGenCerts epo_server_name 8443 administrator password "C:\Program Files (x86)\McAfee\ePolicy Orchestrator\Apache2\conf\ssl.crt"

Important:

      If User Account Control (UAC) is enabled on this server, the command will fail. Disable this feature if the server is running Windows Server 2008 or later.

      The case of the RunDllGenCerts parameter is important.

Note:

In normal use, the command does not produce messages when it runs. After a few seconds, the ssl.crt folder is populated with the following certificate files:

      ahCert.crt

      ahpriv.key

      mfscabundle.cer

      pkcs12store.pfx

      pkcs12store.properties

A log file is created ahsetup_<ePO_server_name>.log.

10. In a text editor, open this log file. The log will end with the following lines if the   regeneration was successful:

AHSETUP The Agent Handler successfully connected to the ePO server.

AHSETUP Successfully created the Agent Handler certs.

AHSETUP Successfully created the Agent Handler CA Certificate.

AHSETUP Successfully imported the PKCS12 Certificates. 

11. Now Start ePO server service.

Conclusion

Hope this blog will help you to understand to regenerate the certificates used by the ePO server service and the concept of McAfee Certificate Error. If you still have any doubt or queries then please feel free to contact McAfee Customer Support Number. 

Comments

Popular posts from this blog

The Role of McAfee Antivirus In 2021

What to Do When McAfee Scanning Is Not Working

How To Solve McAfee Certificate Error | mcafeepro.com