This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SafeGuard user certificates are expiring

As the title says, our user certificates are coming up on expiration date soon. Mine personally has already expired (my MSO is another user). 

1) If we do not use file encryption, is there a consequence of certificates expiring?


2) I looked at auto-renewal of user certificates. The task (mentioned in the article below) that renews soon-to-expire certs fails. There is no log file to review. Please advise! https://support.sophos.com/support/s/article/KB-000034729?language=en_US

(i have already applied the msoledbsql MSI update and updated the script).

Thank you



This thread was automatically locked due to age.
Parents
  • Hello! I run this script on my server and it works well. Have you change the name of your DB instance so that it corresponds with your environment?

    There aren't any massive consequences of the certs expiring if you're disk encryption only (as am I) but 2 issues...

    1 - Users WILL see a cert warning when they log onto the machine like this...

    2 - Management console users WILL get locked out of the console if their cert expires

    So best to renew them. This is easy to do manually follow these steps

    • SSG Console 
    • Keys and Certs
    • Assigned Certs
    • Subject - enter username
    • Click Search
    • Select User Cert
    • Check Renew checkbox
    • Click Save

     

    Next time client/workstation syncs with SSG user cert will be renewed fully. You could also NOT select a user, click Search and this will display ALL certs. You can then order by renew and select "renew" checkbox for a bunch of users and click save.

    So - best to do this ASAP before users get the warning on their SSG workstations, or worse still you lock users ouf of the console. I would try again to get the script working - it does work and works well but you MUST edit the SQL instance so it can connect to your server. If you have SQL on another server/vm then you might need to add the username too.

    Also note - You may need to set this all up as MSO (if you still have a working MSO account?

    Give me a shout if you get stuck - I've only just done this task a few months ago so quite fresh in my mind!

Reply
  • Hello! I run this script on my server and it works well. Have you change the name of your DB instance so that it corresponds with your environment?

    There aren't any massive consequences of the certs expiring if you're disk encryption only (as am I) but 2 issues...

    1 - Users WILL see a cert warning when they log onto the machine like this...

    2 - Management console users WILL get locked out of the console if their cert expires

    So best to renew them. This is easy to do manually follow these steps

    • SSG Console 
    • Keys and Certs
    • Assigned Certs
    • Subject - enter username
    • Click Search
    • Select User Cert
    • Check Renew checkbox
    • Click Save

     

    Next time client/workstation syncs with SSG user cert will be renewed fully. You could also NOT select a user, click Search and this will display ALL certs. You can then order by renew and select "renew" checkbox for a bunch of users and click save.

    So - best to do this ASAP before users get the warning on their SSG workstations, or worse still you lock users ouf of the console. I would try again to get the script working - it does work and works well but you MUST edit the SQL instance so it can connect to your server. If you have SQL on another server/vm then you might need to add the username too.

    Also note - You may need to set this all up as MSO (if you still have a working MSO account?

    Give me a shout if you get stuck - I've only just done this task a few months ago so quite fresh in my mind!

Children
  • Thanks Michael,

    Good to know about the consequences. We are still functioning and my MSO are doing just fine.

    Our Safeguard server runs its own SQL, and our AD sync scheduled jobs run fine.  It's just the CertRenew script that fails. I've changed only the Server name and DB name values, and i've tried every combination of Server name i can think of (Server\Instance, Server.FQDN, Server). I'm thinking it might be easiest just to renew all manually.

    There are already some expired certs -- what is the process for that, delete the cert and have the system recreate it when the user authenticates?

  • In that case I would double check you've included the username and password to connect to the SQL server from the management console. Mine is configured this way too - It won't connect without it. If your security is hardened too you'd expect this. 

    Dim strDBServerName : strDBServerName = "myserver.co.uk\SSGDBName01" 'Machine name of the SQL Server

    oConn.ConnectionString = "Provider=SQLOLEDB;Initial Catalog=" & strSGNDBName & ";Data Source=" & strDBServerName & ";User Id=username1;Password=Password2"

    These are my entries/mods to the VBS script that work. 

    You should see your path in the config selection that comes up when you launch the console

    You can also get your DB user and details from the Tools  -Options - Database tab. Note this DB tab is ONLY visible if you log in with an MSO account - most "normal" accounts won't see this tab.