if I activate the SHA-2 certificate (click on the activate button in the ePO cert manager) is there still some way to go back to the old SHA-1still being recognized by the ePO?
I think about a scenario where some systems are forgotten during migration, so still use old cert and urgently need to connect to the ePO.
IF YOU AIN'T FIRST, YOU ARE LAST
Migration from SHA-1 to SHA-2 certificates is required after upgrading to ePolicy Orchestrator 5.9
If you encounter any issues during the migration process, click Cancel Migration to revert to the previous certificates. If you cancel the migration, you must stop the Agent Handler services, restart the ePO services, and start the Agent Handler services again.
What if I already completed my SHA-2 migration and discover clients that are still using SHA-1 certificates?
You must reinstall the Agent on any clients that still use a SHA-1 certificate after you have finished the migration to SHA-2 to restore agent-to-server communication.
You must reinstall the Agent on any clients that still use a SHA-1 certificate once you have finished the migration to SHA-2 to restore agent-to-server communication.
I think if you regenerate the certificate a new certificate will be generated and the new certificates will not be active until activated.
Right, there is no doubt here. When regenerated both certs work, while the new is being distributed. My question is, if there is a way to go back to this form of work once the cert has been activated.
We have upgraded recently to ePO 5.9.1. In certificate managere I notice the Root Certificate Hash Algorithm : SHA1withRSA where it should be SHA256withRSA
Key size : 2048
Hash Algorithm : SHA1withRSA.
I see the same thing populates fine with ePO 5.10. As per KB90182 I think if we apply ePO 5.9.1 Hotfix 1226775 that should give us the right Hash Algorithm (SHA256withRSA). But we also have 1000, 4.8 clients in the environment (windowsxp,windows 2003 & 2003R2). if we apply Hotfix 1226775 it can cause policy enforcement issues for 4.8 clients.
We have planned to upgrade McAfee agent from 5.0.5 to 5.5.1, we though that we will activate the certificate and then provide the 5.5.1 agent software from ePO to SCCM team to deploy it across our estate.
Not sure how to proceed from here. Any suggestions.
Per the kb, see below. That hotfix has already been reposted. You will see the file name with r at the end to indicate repost. Use the reposted hotfix.
.... McAfee will repost ePO 5.9.1 Hotfix 1226775 with a fix for the McAfee Agent 4.8 policy enforcement issue soon
Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?
Thanks for your quick response.
I think the KB90182 is updated, we have ePo version 5.9.1.
1. Once we install the hotfix we should see the Hash algorithm with SHA256with RSA. Is that right?
Key size : 2048
Hash Algorithm : SHA1withRSA
2. After once we see this change we can activate the certificate right? Then there should not be any issue with agent 4.8 policy enforcement issue. Is that Right?
3. We are planning to upgrade Agent version from 5.0.5 to 5.5.1. We have already checked in the package 5.5.1 in ePO. Now can we download the agent installation package 5.5.1 from ePO and distribute to SCCM team to push the package for entire estate roll out before activating the certificate or the agent has to downloaded from ePO and distributed to SCCM team only after activating the certificate?