Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 7 subscribers
  • Views 12785 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SMC keeps using old ssl certificate

HelpdeskWaterdrinker

Hi sophos,

Our old SSL certificate is only valid for one more day.

So we bought an SAN certificate with multiple domain names in it. Domain name is listed.

When we loggin as superadministrator and upload the new certificate.
Also we removed the old certificate.
After that we restarted the server.
When we log on to the website then the old certifcatie is still in use.

Is there a way to upload our new certificate to the Sophos Mobile Controll server.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    upload the certificate at the "SSL" tab only updates the certificate hashes necessary for the client communication.

    To update the certificate the Sophos Mobile Control server is using follow these steps:

    1. Connect to the operating system where Sophos Mobile Control is installed
    2. Run the "Configuration Wizard" of Sophos Mobile Control
    3. When asked, stop the Sophos Mobile Control Service
    4. In the Configuration Wizard, click "Next"
    5. Within the "Database Type Selection" keep the "Skip database configuration" and click "Next"
    6. Mark the checkbox next to "Configure server certificate" within the "Choose configuration steps" view and click "Next"
    7. Enable the radio button for "Import a certificate from a trusted issuer"
    8. Depending on the certificate format you have select the option suitable for you from the dropdown box and click "Next"
    9. Select the necessary files and enter the corresponding password. Click "Next"
    10. If the password and certificate are correct the certificate will be imported. The "Server Information" page will be shown
    11. Complete the Configuration Wizard and restart the service when asked
    12. The new certificate will now be used for the Sophos Mobile Control web console and Self Service Portal

    Hope this helps.

    Best regards
    Stefan

  • 0 in reply to SDU

    Hi,

    We followed the description above and everything seemed to be fine. We installed a personal certificated created from our SAN certificate

    But when we tried to login, we immediately noticed that the certificate was still expired on the website.

    When we logged into the admin console, we saw that the old certificate still was enabled.
    We removed the old certificate and then restarted the whole server.
    After a restart it still showed the old certificate, then we went into the admin console, removed all certificate from the SSL tab and did an auto discovery,
    After that it showed us only the old certificate and not the new one.
    Then we started to dig some deeper,
    In the log file jboss\server\mdm\log\install_wizard.log we found theze lines,

    ***install_wizard.log start****
    [2016-04-15 8:35:36] ImportPkcs12Cert
    [2016-04-15 8:35:36] CreateCert
    [2016-04-15 8:35:36] ChooseCert
    [2016-04-15 8:35:45] ChooseCertLeave
    [2016-04-15 8:35:45] CertificateType importpkcs12
    [2016-04-15 8:35:45] CreateCert
    [2016-04-15 8:35:45] ImportPkcs12Cert
    [2016-04-15 8:36:06] ImportPkcs12CertLeave
    [2016-04-15 8:36:06] Using D:\Sophos\Certificaten\2016\xxx.xxxxxx.xxpfx
    [2016-04-15 8:36:06] 'C:\Program Files\Java\jdk1.8.0_25\bin\keytool' -list -storetype PKCS12 -keystore 'D:\Sophos\Certificaten\2016\xxx.xxxxxx.pfx' -storepass '****'
    [2016-04-15 8:36:09] Keytool returns OK:
    Keystore type: PKCS12
    Keystore provider: SunJSSE

    Your keystore contains 1 entry

    le-8af99183-ba99-48f4-a0df-5fa3c5b0531f, 15-apr-2016, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 28:5C:D4:04:5A:CE:A4:83:A3:48:0A:3A:3E:36:FB:2A:46:BE:8E:B1

    [2016-04-15 8:36:09] CopyFiles 'D:\Sophos\Certificaten\2016\xxx.xxxxxx.pfx' 'D:\Program Files (x86)\Sophos\Sophos Mobile Control\jboss\server\mdm\conf\xxx.xxxxxx.pfx'
    [2016-04-15 8:36:09] Copy file OK.
    [2016-04-15 8:36:09] Delete "D:\Program Files (x86)\Sophos\Sophos Mobile Control\jboss\server\mdm\conf\keystore.password"
    [2016-04-15 8:36:10] Keystore.password created successfully:
    [2016-04-15 8:36:10] Size of keystore.password: 28 (1 )
    [2016-04-15 8:36:10] Set Keystore in security-service.xml
    [2016-04-15 8:36:10] Size of security-service.xml: 675 (1 )
    [2016-04-15 8:36:10] Attributes of security-service.xml: ARCHIVE
    [2016-04-15 8:36:10] Last modification of security-service.xml: Date=2016-04-15 Time=7:52:51
    [2016-04-15 8:36:10] Size of security-service.xml: 675 (1 )
    [2016-04-15 8:36:10] Attributes of security-service.xml: ARCHIVE
    [2016-04-15 8:36:10] Last modification of security-service.xml: Date=2016-04-15 Time=8:36:10
    [2016-04-15 8:36:10] Done
    [2016-04-15 8:36:10] ImportCertFiles
    [2016-04-15 8:36:10] HTTP Proxy
    [2016-04-15 8:36:10] ShowServerDetails
    [2016-04-15 8:36:10] Starting progress
    [2016-04-15 8:36:10] java GetSystemTimeZone
    [2016-04-15 8:36:10] 0 Europe/Berlin
    [2016-04-15 8:36:10] NumberOfClients from file: /* 200 */

    ***install_wizard.log end****


    on a client we send the log file and the client is giving these erors,

    ****smc.log start*****
    Exception: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Wed Apr 13 09:11:30 CEST 2016 (compared to Fri Apr 15 08:41:28 CEST 2016)
    REST; 2016/04/15 08:41:28; E; Cloud sync failed. Cannot post sync package. HTTPStatus: 503
    CORE; 2016/04/15 08:41:28; I; rescheduling synchronization with delay of 1800 seconds for 'Fri Apr 15 09:11:28 CEST 2016'
    CORE; 2016/04/15 08:41:28; I; inserted command='Command [type='Synchronize', transitionId='-1', commandId='115', delay='1800', parameter=[]]' in queue.
    CORE; 2016/04/15 08:41:28; I; Command executed: SynchronizeRest id: 114 Result: -500
    CORE; 2016/04/15 08:41:28; I; inserted command='Command [type='SynchronizeRest', transitionId='-1', commandId='116', delay='86400', parameter=[]]' in queue.
    CORE; 2016/04/15 08:41:54; I; inserted command='Command [type='SynchronizeRest', transitionId='-1', commandId='117', delay='null', parameter=[]]' in queue.
    CORE; 2016/04/15 08:41:54; I; Excuting command SynchronizeRest
    REST; 2016/04/15 08:41:55; W; Https request failed
    Exception: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Wed Apr 13 09:11:30 CEST 2016 (compared to Fri Apr 15 08:41:55 CEST 2016)
    REST; 2016/04/15 08:41:55; E; Cloud sync failed. Cannot post sync package. HTTPStatus: 503
    CORE; 2016/04/15 08:41:55; I; rescheduling synchronization with delay of 1800 seconds for 'Fri Apr 15 09:11:55 CEST 2016'
    CORE; 2016/04/15 08:41:55; I; inserted command='Command [type='Synchronize', transitionId='-1', commandId='118', delay='1800', parameter=[]]' in queue.
    CORE; 2016/04/15 08:41:56; I; Command executed: SynchronizeRest id: 117 Result: -500
    CORE; 2016/04/15 08:41:56; I; inserted command='Command [type='SynchronizeRest', transitionId='-1', commandId='119', delay='86400', parameter=[]]' in queue.
    CORE; 2016/04/15 08:42:09; I; inserted command='Command [type='SynchronizeRest', transitionId='-1', commandId='120', delay='null', parameter=[]]' in queue.
    CORE; 2016/04/15 08:42:09; I; Excuting command SynchronizeRest
    REST; 2016/04/15 08:42:09; W; Https request failed
    ***smc.log end***

    We are stuck at the same issue still and our clients(mobiel telefoons) cannot be used.

Reply
  • 0 in reply to SDU

    Hi,

    We followed the description above and everything seemed to be fine. We installed a personal certificated created from our SAN certificate

    But when we tried to login, we immediately noticed that the certificate was still expired on the website.

    When we logged into the admin console, we saw that the old certificate still was enabled.
    We removed the old certificate and then restarted the whole server.
    After a restart it still showed the old certificate, then we went into the admin console, removed all certificate from the SSL tab and did an auto discovery,
    After that it showed us only the old certificate and not the new one.
    Then we started to dig some deeper,
    In the log file jboss\server\mdm\log\install_wizard.log we found theze lines,

    ***install_wizard.log start****
    [2016-04-15 8:35:36] ImportPkcs12Cert
    [2016-04-15 8:35:36] CreateCert
    [2016-04-15 8:35:36] ChooseCert
    [2016-04-15 8:35:45] ChooseCertLeave
    [2016-04-15 8:35:45] CertificateType importpkcs12
    [2016-04-15 8:35:45] CreateCert
    [2016-04-15 8:35:45] ImportPkcs12Cert
    [2016-04-15 8:36:06] ImportPkcs12CertLeave
    [2016-04-15 8:36:06] Using D:\Sophos\Certificaten\2016\xxx.xxxxxx.xxpfx
    [2016-04-15 8:36:06] 'C:\Program Files\Java\jdk1.8.0_25\bin\keytool' -list -storetype PKCS12 -keystore 'D:\Sophos\Certificaten\2016\xxx.xxxxxx.pfx' -storepass '****'
    [2016-04-15 8:36:09] Keytool returns OK:
    Keystore type: PKCS12
    Keystore provider: SunJSSE

    Your keystore contains 1 entry

    le-8af99183-ba99-48f4-a0df-5fa3c5b0531f, 15-apr-2016, PrivateKeyEntry,
    Certificate fingerprint (SHA1): 28:5C:D4:04:5A:CE:A4:83:A3:48:0A:3A:3E:36:FB:2A:46:BE:8E:B1

    [2016-04-15 8:36:09] CopyFiles 'D:\Sophos\Certificaten\2016\xxx.xxxxxx.pfx' 'D:\Program Files (x86)\Sophos\Sophos Mobile Control\jboss\server\mdm\conf\xxx.xxxxxx.pfx'
    [2016-04-15 8:36:09] Copy file OK.
    [2016-04-15 8:36:09] Delete "D:\Program Files (x86)\Sophos\Sophos Mobile Control\jboss\server\mdm\conf\keystore.password"
    [2016-04-15 8:36:10] Keystore.password created successfully:
    [2016-04-15 8:36:10] Size of keystore.password: 28 (1 )
    [2016-04-15 8:36:10] Set Keystore in security-service.xml
    [2016-04-15 8:36:10] Size of security-service.xml: 675 (1 )
    [2016-04-15 8:36:10] Attributes of security-service.xml: ARCHIVE
    [2016-04-15 8:36:10] Last modification of security-service.xml: Date=2016-04-15 Time=7:52:51
    [2016-04-15 8:36:10] Size of security-service.xml: 675 (1 )
    [2016-04-15 8:36:10] Attributes of security-service.xml: ARCHIVE
    [2016-04-15 8:36:10] Last modification of security-service.xml: Date=2016-04-15 Time=8:36:10
    [2016-04-15 8:36:10] Done
    [2016-04-15 8:36:10] ImportCertFiles
    [2016-04-15 8:36:10] HTTP Proxy
    [2016-04-15 8:36:10] ShowServerDetails
    [2016-04-15 8:36:10] Starting progress
    [2016-04-15 8:36:10] java GetSystemTimeZone
    [2016-04-15 8:36:10] 0 Europe/Berlin
    [2016-04-15 8:36:10] NumberOfClients from file: /* 200 */

    ***install_wizard.log end****


    on a client we send the log file and the client is giving these erors,

    ****smc.log start*****
    Exception: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Wed Apr 13 09:11:30 CEST 2016 (compared to Fri Apr 15 08:41:28 CEST 2016)
    REST; 2016/04/15 08:41:28; E; Cloud sync failed. Cannot post sync package. HTTPStatus: 503
    CORE; 2016/04/15 08:41:28; I; rescheduling synchronization with delay of 1800 seconds for 'Fri Apr 15 09:11:28 CEST 2016'
    CORE; 2016/04/15 08:41:28; I; inserted command='Command [type='Synchronize', transitionId='-1', commandId='115', delay='1800', parameter=[]]' in queue.
    CORE; 2016/04/15 08:41:28; I; Command executed: SynchronizeRest id: 114 Result: -500
    CORE; 2016/04/15 08:41:28; I; inserted command='Command [type='SynchronizeRest', transitionId='-1', commandId='116', delay='86400', parameter=[]]' in queue.
    CORE; 2016/04/15 08:41:54; I; inserted command='Command [type='SynchronizeRest', transitionId='-1', commandId='117', delay='null', parameter=[]]' in queue.
    CORE; 2016/04/15 08:41:54; I; Excuting command SynchronizeRest
    REST; 2016/04/15 08:41:55; W; Https request failed
    Exception: javax.net.ssl.SSLHandshakeException: com.android.org.bouncycastle.jce.exception.ExtCertPathValidatorException: Could not validate certificate: Certificate expired at Wed Apr 13 09:11:30 CEST 2016 (compared to Fri Apr 15 08:41:55 CEST 2016)
    REST; 2016/04/15 08:41:55; E; Cloud sync failed. Cannot post sync package. HTTPStatus: 503
    CORE; 2016/04/15 08:41:55; I; rescheduling synchronization with delay of 1800 seconds for 'Fri Apr 15 09:11:55 CEST 2016'
    CORE; 2016/04/15 08:41:55; I; inserted command='Command [type='Synchronize', transitionId='-1', commandId='118', delay='1800', parameter=[]]' in queue.
    CORE; 2016/04/15 08:41:56; I; Command executed: SynchronizeRest id: 117 Result: -500
    CORE; 2016/04/15 08:41:56; I; inserted command='Command [type='SynchronizeRest', transitionId='-1', commandId='119', delay='86400', parameter=[]]' in queue.
    CORE; 2016/04/15 08:42:09; I; inserted command='Command [type='SynchronizeRest', transitionId='-1', commandId='120', delay='null', parameter=[]]' in queue.
    CORE; 2016/04/15 08:42:09; I; Excuting command SynchronizeRest
    REST; 2016/04/15 08:42:09; W; Https request failed
    ***smc.log end***

    We are stuck at the same issue still and our clients(mobiel telefoons) cannot be used.

Children
Unfiltered HTML