cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

Hi,

if I activate the SHA-2 certificate (click on the activate button in the ePO cert manager) is there still some way to go back to the old SHA-1still being recognized by the ePO? 

I think about a scenario where some systems are forgotten during migration, so still use old cert and urgently need to connect to the ePO.


-----
IF YOU AIN'T FIRST, YOU ARE LAST

12 Replies
tao
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 13

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

Migration from SHA-1 to SHA-2 certificates is required after upgrading to ePolicy Orchestrator 5.9

If you encounter any issues during the migration process, click Cancel Migration to revert to the previous certificates. If you cancel the migration, you must stop the Agent Handler services, restart the ePO services, and start the Agent Handler services again.

What if I already completed my SHA-2 migration and discover clients that are still using SHA-1 certificates?
You must reinstall the Agent on any clients that still use a SHA-1 certificate after you have finished the migration to SHA-2 to restore agent-to-server communication.

https://kc.mcafee.com/corporate/index?page=content&id=KB87017

If this information was helpful or has answered your question, please select Accept as Solution. This will assist other memebers

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

Dear @HugsNotDrugs 

You must reinstall the Agent on any clients that still use a SHA-1 certificate once you have finished the migration to SHA-2 to restore agent-to-server communication. 

Cheers!!!!

Venu

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

So no other way on the ePO end? No reactivation of the old SHA-1 cert?

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

@HugsNotDrugs 

I think if you regenerate the certificate a new certificate will be generated and the new certificates will not be active until activated. 

Venu

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

Right, there is no doubt here. When regenerated both certs work, while the new is being distributed. My question is, if there is a way to go back to this form of work once the cert has been activated.

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

@HugsNotDrugs 

It is not possible to revert to the earlier certificate once you started using the new one 🙂

Cheers!!!!!!

Venu
Majidkhan
Level 8
Report Inappropriate Content
Message 8 of 13

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

Hi All,

 

We have upgraded recently to ePO 5.9.1. In certificate managere I notice the Root Certificate Hash Algorithm : SHA1withRSA where it should be SHA256withRSA

Root Certificate
Key size : 2048
Hash Algorithm : SHA1withRSA.

I see the same thing populates fine with ePO 5.10. As per KB90182 I think if we apply ePO 5.9.1 Hotfix 1226775 that should give us the right Hash Algorithm (SHA256withRSA). But we also have 1000, 4.8 clients in the environment (windowsxp,windows 2003 & 2003R2). if we apply Hotfix 1226775 it can cause policy enforcement issues for 4.8 clients.

 

We have planned to upgrade McAfee agent from 5.0.5 to 5.5.1, we though that we will activate the certificate and then provide the 5.5.1 agent software from ePO to SCCM team to deploy it across our estate.

Not sure how to proceed from here. Any suggestions.

 

Regards,

Majid

cdinet
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 9 of 13

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

Per the kb, see below.  That hotfix has already been reposted.  You will see the file name with r at the end to indicate repost.  Use the reposted hotfix.

.... McAfee will repost ePO 5.9.1 Hotfix 1226775 with a fix for the McAfee Agent 4.8 policy enforcement issue soon

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Majidkhan
Level 8
Report Inappropriate Content
Message 10 of 13

Re: ePO 5.9 upgrade - Migrate SHA-1 certificates to SHA-2

Hi Team,

Thanks for your quick response.

I think the KB90182 is updated, we have ePo version 5.9.1.

1. Once we install the hotfix we should see the Hash algorithm with SHA256with RSA. Is that right? 

Current :

Root Certificate
Key size : 2048
Hash Algorithm : SHA1withRSA

2. After once we see this change we can activate the certificate right? Then there should not be any issue with agent 4.8 policy enforcement issue. Is that Right?

3. We are planning to upgrade Agent version from 5.0.5 to 5.5.1. We have already checked in the package 5.5.1 in ePO. Now can we download the agent installation package 5.5.1 from ePO and distribute to SCCM team to push the package for entire estate roll out before activating the certificate or the agent has to downloaded from ePO and distributed to SCCM team only after activating the certificate?

Please advise.

Regards,

Majid

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community