if I understand correctly so long as the ePO server can still be contacted the agent would request a key exchange without having to reinstall.
This assumes the ePO server has the right key information available to respond.
If the ePO server does not recognise the agent key presented then you'd be left with an agent reinstall which would include a new key from the ePO server that it knows about,
or you would need to find and add the correct agent keys to the ePO server keystore.
Depending on your infrastructure just pushing out a new agent is probably your easiest option.
If you want to do it manaully then the information in this KB entry explains rackroyds re-install with new server key suggestion.
http://kc.mcafee.com/corporate/index?page=content&id=KB53808 It's a bit old (agent 4.0) but it should still apply to 4.6/4.8. There probably is a newer version somewhere but i had the link in my favourites.
Basically you want the bit on keys.
Installing the agent with user-selected site information and user-selected keys
Use this command to install the agent and specify a site list file and security keys (srpubkey.bin and reqseckey.bin) other than the defaults. This command is useful when upgrading an agent using framepkg_upd.exe. It specifies the server with which the agent communicates, irrespective of the site information embedded in the original installation package.
The security keys must be located in the same folder as the site list. Use ePolicy Orchestrator to export the files:
- Export the siteinfo file:
- Select Software | Master Repository.
- Click Export Sitelist.
Save the file to a new location.
- Export the security keys:
- Select Configuration | Server Settings | Security Keys, and click Edit.
- Select Master Agent-server secure communication key, and click Export.
Save the files to the same location as the siteinfo file.
and this bit
Use this task to change the server with which a client communicates.
The security keys must be located in the same folder as the site list.
frminst.exe /siteinfo=<full path of target servers sitelist.xml file>
- Export the siteinfo file:
"you would need to find and add the correct agent keys to the ePO server keystore"
A) Does adding the agent keys to the ePO keystore need to be done through the API?
B) Is there documentation about any process to inject 3rd party created keys or archived keys back into an Agent installation?
That could take care of my Agent key update....
Not through the API, and no you can't inject 3rd-party keys.
You can however reinstall archived agent keys to the ePO server through the ePO console.
In ePO 4.6 it's under:
Menu - Configuration - Server Settings - Security Keys.
Choose Edit, then Import.
"Agent-Server Secure Communication Keys" are the other part of the secure keypair that will be requested by the agent.