cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Jmac24
Level 9
Report Inappropriate Content
Message 1 of 4

Question about certificate generation and DXL

Jump to solution

Generated a new server certificate in ePO 5.10. Everything looks normal, we're already at 91% saturation for the new cert affter a few hours.

What I'm concerned with is in the Product: Data Exchange Layer in Certificate Manager I am getting this:

Product: Data Exchange Layer

Key size : 2048
Hash Algorithm : SHA256WITHRSA
Expiration : Mar 16, 2049 8:15:05 AM EDT
Description : Data exchange layer certificates are used for secure communication between brokers and clients.
Status : 0% of your brokers are incompatible.
2% of your clients use certificates derived from this root certificate. Click here to see remaining 98%.
0% of your clients are incompatible.

I am wondering if this is something I need to be concerned about, or any special steps need to be followed with DXL or the agents before finalizing. We have approximately 85% of our endpoints on MA v5.6.0.702. The other 15% on previous versions.

1 Solution

Accepted Solutions
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Question about certificate generation and DXL

Jump to solution

I asked one of our dxl experts about this and this is what he responded:

The DXL Clients need to be at version 3.1 or later to support SHA2 migration

When the SHA2 cert is generated the client receives a policy with a 'regenVersion' setting. The DXL client will then issue a DXL_CERTSIGN_V3_request to ePO over a randomized interval (2-24hrs) in order to get new SHA256 certificate.

When the managed client processes the regenVersion policy setting, it persists it in the dxl_property.config file as "DxlRegenVersionPolicy" setting.  During an agent-to-server communication interval, the Agent will collect and report both the "Certificate Authority Version" and the "Certificate Regeneration Version" to ePO. This information is displayed in the Products Tab in the System Tree details page in ePO and is used to display the Status information in the  "Certificate Manager” page.

Because the process requires both a policy update, along with the 2-24 hour randomization interval and a ASCI cycle it may take some more time for the report to show progress.

For now, please send a wake up call with the options "Retrieve all properties even if they haven't changed since the last time they were collected" and "Force complete policy and task update" to one of system that has not yet reported an updated DXL client cert. And check to see if the status changes.

If the certificates do not begin updating, please plan to collect a MER from a problematic system and contact support to open an SR. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

3 Replies
McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Question about certificate generation and DXL

Jump to solution

I asked one of our dxl experts about this and this is what he responded:

The DXL Clients need to be at version 3.1 or later to support SHA2 migration

When the SHA2 cert is generated the client receives a policy with a 'regenVersion' setting. The DXL client will then issue a DXL_CERTSIGN_V3_request to ePO over a randomized interval (2-24hrs) in order to get new SHA256 certificate.

When the managed client processes the regenVersion policy setting, it persists it in the dxl_property.config file as "DxlRegenVersionPolicy" setting.  During an agent-to-server communication interval, the Agent will collect and report both the "Certificate Authority Version" and the "Certificate Regeneration Version" to ePO. This information is displayed in the Products Tab in the System Tree details page in ePO and is used to display the Status information in the  "Certificate Manager” page.

Because the process requires both a policy update, along with the 2-24 hour randomization interval and a ASCI cycle it may take some more time for the report to show progress.

For now, please send a wake up call with the options "Retrieve all properties even if they haven't changed since the last time they were collected" and "Force complete policy and task update" to one of system that has not yet reported an updated DXL client cert. And check to see if the status changes.

If the certificates do not begin updating, please plan to collect a MER from a problematic system and contact support to open an SR. 

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

Jmac24
Level 9
Report Inappropriate Content
Message 3 of 4

Re: Question about certificate generation and DXL

Jump to solution

Thank you. This is looking good now I checked it this morning and it jumped to 91% for DXL. 

McAfee Employee cdinet
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Question about certificate generation and DXL

Jump to solution

Good deal!

Was my reply helpful?
If this information was helpful in any way or answered your question, will you please select Accept as Solution in my reply and together we can help other members?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator