Recertify SMC servers

You must renew SMC server certificates when the certificates are about to expire or have expired.

The following situations require you to renew SMC server certificates:

  • A message indicates that the certificate of a Management Server, Log Server, or Web Portal Server is about to expire or has expired.
  • A message indicates that the certificate authority that signed the certificate of a Management Server, Log Server, or Web Portal Server is about to expire. A new certificate authority has been created, and the server requires a new certificate.
  • The SMC components refuse communication attempts with each other.

If the Management Server certificate expires, it is not possible to log on using the Management Client. Log Server certificate expiration or loss prevents log browsing, reporting, and status monitoring from working correctly, and forces the engines to spool logs locally.

You can renew the certificates of any of the SMC servers without affecting the other components.

When administrators log on to the Management Client or to the Web Portal for the first time after the server’s certificate is changed, they receive a notification of the certificate fingerprint change on the Management Server or Web Portal Server. If you want to check the certificate fingerprint before accepting it, run the sgShowFingerprint command on the server.

Steps

  1. Stop the SMC server you want to recertify.
    Note: To certify a Log Server or a Web Portal Server, the Management Server must be running and accessible through the network.
  2. On the command line of the server that you want to certify, go to the <installation directory>/bin folder.
    Note: If you installed the SMC in the C:\Program Files\Forcepoint\SMC directory in Windows, command-line scripts can be found in the C:\Program Files\Forcepoint\SDWAN Manager\bin directory.
  3. To recertify a Management Server, run the following script:
    sgCertifyMgtSrv.[bat|sh]
  4. To certify an additional Management Server, follow these steps.
    1. Verify that the active Management Server is running and that the additional Management Server has a connection to the active Management Server.
    2. Stop the additional Management Server.
    3. Run the following script on the additonal Management Server:
      sgCertifyMgtSrv.[bat|sh] -standby
    The management database is replicated to the additional Management Server during the certification.
  5. To recertify a Log Server, run the following script:
    sgCertifyLogSrv.[bat|sh] 
  6. To recertify a Web Portal Server, run the following script:
    sgCertifyWebPortalSrv.[bat|sh]
  7. If prompted in the recertification dialog box, authenticate using an SMC administrator account with unrestricted (superuser) permissions.
    Note: Do not enter the credentials for the root account for command line access.
    If there are multiple administrative Domains, you can also specify the Domain the Log Server or the Web Portal Server belongs to. If you do not specify the Domain, the Shared Domain is used.
  8. Make sure that the Recertify an Existing Server option is selected, and that the correct server is selected in the list.
  9. Click OK, then wait for confirmation that the server certificate has been renewed.
  10. Start the SMC server that you recertified.
    When you restart the server, all other components accept the new certificate because it is issued by a certificate authority that they trust. SMC components only trust the internal certificate authority that issued their own certificate.