We are still testing the migration from SHA-1 to SHA-2 using the Certificate Manager. I have noticed a problem if we were to utilize the "Cancel Migration" option after you activate the newly generated certificate. Basically, the ePO Apache service will not start. In the Windows logs it will state the following error:
The Apache service named reported the following error: >>> SSLCertificateKeyFile: file 'C:/Program Files (x86)/McAfee/ePolicy Orchestrator/Apache2/conf/ssl.crt/ahpriv.key' does not exist or is empty .
If I go to that folder I noticed that it didn't restore the ahpriv.key which is missing. It also didn't restore the other files under ssl.crt with the backed up copies as it shows the newer timestamps on these files.
If I restore all the files that used to be in ssl.crt folder from a backup then I can get Apache to start. Why isn't the "Cancel Migration" option not restoring these files from a backup? Also this isn't documented in the KB87017 file.
Do you recommend that we should manually backup these files just incase we need to revert the certificate migration? Also are there any other folders that we need to backup?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.