clm users certificates expiration

U

Unai Castro

Guest
Hello,

What happend when clm users (clmagent, clmkragent and clmenrollanget)

certificates expired? CLM can renew this users certificates or I need request

renew for this users?

Regards,

--

Unai Castro

MCP Windows 2003, XP, Exhcange 2003

 
B

Brian Komar \(MVP\)

Guest
There are two different ways used:

1) Verify that the clm.config.exe.config file references the correct CSP

used for the agent certificates (You may change it if using an HSM to

protect the keys). Then run the configuration wizard again. This does

involve retyping all agent passwords, but will issue new certificates for

the three agent accounts. The wizard will update the web.config file. You

will have to verify that the correct KRA certificates is available at all

enterprise CAs in the environment. (and may have to delete the

expired/expiring certificate).

2) Log in as each clmAgent and renew the certificate manually. Once renewed,

you must update the web.config file with the new thumbprint of the new

certificates. Pnly the clmenrollagent and clmagent accounts have references

in the web.config file. The key is to search for the words "hash" and

"hashes". In the case of "hash", replace the current value with the new

thumbprint (removing the spaces). In the case of hashes, add the new

thumbprint (removing the spaces), separated by commas (may be semi-colons,

check the comments above the line.

HTH,

Brian

"Unai Castro" <UnaiCastro@discussions.microsoft.com> wrote in message

news:BD16F15E-2D0E-4719-96B1-441F5723552B@microsoft.com...<span style="color:blue">

> Hello,

>

> What happend when clm users (clmagent, clmkragent and clmenrollanget)

> certificates expired? CLM can renew this users certificates or I need

> request

> renew for this users?

>

> Regards,

> --

> Unai Castro

> MCP Windows 2003, XP, Exhcange 2003 </span>

 
P

Paul Adare

Guest
On Sun, 30 Mar 2008 02:39:00 -0700, Unai Castro wrote:

<span style="color:blue">

> What happend when clm users (clmagent, clmkragent and clmenrollanget)

> certificates expired? CLM can renew this users certificates or I need request

> renew for this users?</span>

CLM actually doesn't manage these certificates. If you think about, it

can't, since the certificates are issued before your CLM deployment is

functioning. You need to manually renew these certificates outside of CLM

and then update web.config with the new thumbprints for the clmAgent and

clmEnrollAgent certificates.

--

Paul Adare

MVP - Virtual Machines

http://www.identit.ca

A list is only as strong as its weakest link. -- Don Knuth

 
U

Unai Castro

Guest
Thank you Paul. I thought that CLM server request certificates renew like

when it's configured at first time.

--

Unai Castro

MCP Windows 2003, XP, Exhcange 2003

"Paul Adare" wrote:

<span style="color:blue">

> On Sun, 30 Mar 2008 02:39:00 -0700, Unai Castro wrote:

> <span style="color:green">

> > What happend when clm users (clmagent, clmkragent and clmenrollanget)

> > certificates expired? CLM can renew this users certificates or I need request

> > renew for this users?</span>

>

> CLM actually doesn't manage these certificates. If you think about, it

> can't, since the certificates are issued before your CLM deployment is

> functioning. You need to manually renew these certificates outside of CLM

> and then update web.config with the new thumbprints for the clmAgent and

> clmEnrollAgent certificates.

>

>

> --

> Paul Adare

> MVP - Virtual Machines

> http://www.identit.ca

> A list is only as strong as its weakest link. -- Don Knuth

> </span>

 
P

Paul Adare

Guest
On Sun, 30 Mar 2008 11:20:01 -0700, Unai Castro wrote:

<span style="color:blue">

> Thank you Paul. I thought that CLM server request certificates renew like

> when it's configured at first time.</span>

It will if you rerun the Configuration Wizard.

--

Paul Adare

MVP - Virtual Machines

http://www.identit.ca

Hackers have kernel knowledge.

 
U

Unai Castro

Guest
Thank you Brian. I test two ways and both works.

--

Unai Castro

MCP Windows 2003, XP, Exhcange 2003

"Brian Komar (MVP)" wrote:

<span style="color:blue">

> There are two different ways used:

> 1) Verify that the clm.config.exe.config file references the correct CSP

> used for the agent certificates (You may change it if using an HSM to

> protect the keys). Then run the configuration wizard again. This does

> involve retyping all agent passwords, but will issue new certificates for

> the three agent accounts. The wizard will update the web.config file. You

> will have to verify that the correct KRA certificates is available at all

> enterprise CAs in the environment. (and may have to delete the

> expired/expiring certificate).

>

> 2) Log in as each clmAgent and renew the certificate manually. Once renewed,

> you must update the web.config file with the new thumbprint of the new

> certificates. Pnly the clmenrollagent and clmagent accounts have references

> in the web.config file. The key is to search for the words "hash" and

> "hashes". In the case of "hash", replace the current value with the new

> thumbprint (removing the spaces). In the case of hashes, add the new

> thumbprint (removing the spaces), separated by commas (may be semi-colons,

> check the comments above the line.

>

> HTH,

> Brian

>

> "Unai Castro" <UnaiCastro@discussions.microsoft.com> wrote in message

> news:BD16F15E-2D0E-4719-96B1-441F5723552B@microsoft.com...<span style="color:green">

> > Hello,

> >

> > What happend when clm users (clmagent, clmkragent and clmenrollanget)

> > certificates expired? CLM can renew this users certificates or I need

> > request

> > renew for this users?

> >

> > Regards,

> > --

> > Unai Castro

> > MCP Windows 2003, XP, Exhcange 2003 </span>

>

> </span>

 
You must log in or register to reply here.
Top Bottom