clm users certificates expiration

  • Thread starter Thread starter Unai Castro
  • Start date Start date
U

Unai Castro

Hello,

What happend when clm users (clmagent, clmkragent and clmenrollanget)
certificates expired? CLM can renew this users certificates or I need request
renew for this users?

Regards,
--
Unai Castro
MCP Windows 2003, XP, Exhcange 2003
 
There are two different ways used:
1) Verify that the clm.config.exe.config file references the correct CSP
used for the agent certificates (You may change it if using an HSM to
protect the keys). Then run the configuration wizard again. This does
involve retyping all agent passwords, but will issue new certificates for
the three agent accounts. The wizard will update the web.config file. You
will have to verify that the correct KRA certificates is available at all
enterprise CAs in the environment. (and may have to delete the
expired/expiring certificate).

2) Log in as each clmAgent and renew the certificate manually. Once renewed,
you must update the web.config file with the new thumbprint of the new
certificates. Pnly the clmenrollagent and clmagent accounts have references
in the web.config file. The key is to search for the words "hash" and
"hashes". In the case of "hash", replace the current value with the new
thumbprint (removing the spaces). In the case of hashes, add the new
thumbprint (removing the spaces), separated by commas (may be semi-colons,
check the comments above the line.

HTH,
Brian

"Unai Castro" <UnaiCastro@discussions.microsoft.com> wrote in message
news:BD16F15E-2D0E-4719-96B1-441F5723552B@microsoft.com...
> Hello,
>
> What happend when clm users (clmagent, clmkragent and clmenrollanget)
> certificates expired? CLM can renew this users certificates or I need
> request
> renew for this users?
>
> Regards,
> --
> Unai Castro
> MCP Windows 2003, XP, Exhcange 2003
 
On Sun, 30 Mar 2008 02:39:00 -0700, Unai Castro wrote:

> What happend when clm users (clmagent, clmkragent and clmenrollanget)
> certificates expired? CLM can renew this users certificates or I need request
> renew for this users?

CLM actually doesn't manage these certificates. If you think about, it
can't, since the certificates are issued before your CLM deployment is
functioning. You need to manually renew these certificates outside of CLM
and then update web.config with the new thumbprints for the clmAgent and
clmEnrollAgent certificates.


--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
A list is only as strong as its weakest link. -- Don Knuth
 
Thank you Paul. I thought that CLM server request certificates renew like
when it's configured at first time.
--
Unai Castro
MCP Windows 2003, XP, Exhcange 2003


"Paul Adare" wrote:

> On Sun, 30 Mar 2008 02:39:00 -0700, Unai Castro wrote:
>
> > What happend when clm users (clmagent, clmkragent and clmenrollanget)
> > certificates expired? CLM can renew this users certificates or I need request
> > renew for this users?
>
> CLM actually doesn't manage these certificates. If you think about, it
> can't, since the certificates are issued before your CLM deployment is
> functioning. You need to manually renew these certificates outside of CLM
> and then update web.config with the new thumbprints for the clmAgent and
> clmEnrollAgent certificates.
>
>
> --
> Paul Adare
> MVP - Virtual Machines
> http://www.identit.ca
> A list is only as strong as its weakest link. -- Don Knuth
>
 
On Sun, 30 Mar 2008 11:20:01 -0700, Unai Castro wrote:

> Thank you Paul. I thought that CLM server request certificates renew like
> when it's configured at first time.

It will if you rerun the Configuration Wizard.

--
Paul Adare
MVP - Virtual Machines
http://www.identit.ca
Hackers have kernel knowledge.
 
Thank you Brian. I test two ways and both works.

--
Unai Castro
MCP Windows 2003, XP, Exhcange 2003


"Brian Komar (MVP)" wrote:

> There are two different ways used:
> 1) Verify that the clm.config.exe.config file references the correct CSP
> used for the agent certificates (You may change it if using an HSM to
> protect the keys). Then run the configuration wizard again. This does
> involve retyping all agent passwords, but will issue new certificates for
> the three agent accounts. The wizard will update the web.config file. You
> will have to verify that the correct KRA certificates is available at all
> enterprise CAs in the environment. (and may have to delete the
> expired/expiring certificate).
>
> 2) Log in as each clmAgent and renew the certificate manually. Once renewed,
> you must update the web.config file with the new thumbprint of the new
> certificates. Pnly the clmenrollagent and clmagent accounts have references
> in the web.config file. The key is to search for the words "hash" and
> "hashes". In the case of "hash", replace the current value with the new
> thumbprint (removing the spaces). In the case of hashes, add the new
> thumbprint (removing the spaces), separated by commas (may be semi-colons,
> check the comments above the line.
>
> HTH,
> Brian
>
> "Unai Castro" <UnaiCastro@discussions.microsoft.com> wrote in message
> news:BD16F15E-2D0E-4719-96B1-441F5723552B@microsoft.com...
> > Hello,
> >
> > What happend when clm users (clmagent, clmkragent and clmenrollanget)
> > certificates expired? CLM can renew this users certificates or I need
> > request
> > renew for this users?
> >
> > Regards,
> > --
> > Unai Castro
> > MCP Windows 2003, XP, Exhcange 2003
>
>
 
Back
Top