Depending on the version of Enterprise Console originally installed, the certificate authority algorithm will either be MD5, SHA1 or SHA256:
As detailed in article Sophos Enterprise Console: Use of SHA-2 certificates and TLS1.2 protocol, while the Sophos Message Router, Sophos Management Service and the Sophos Certification Manager will all upgrade and use SHA256, the root certificate in the system (cac.pem), provided by the Certificate Authority (CA) will not be renewed/upgraded.
This does not affect functionality or performance; however, you may have a requirement to upgrade the root certificate to the SHA256 algorithm.
This article provides information on how to upgrade the certificate authority installed with Enterprise Console.
The following sections are covered:
First Seen In Enterprise Console
Important: Once the original root certificate has been removed and a new SHA256 certificate has been put in its place, communications between managed endpoints and the Management Server is not possible until the endpoints have been either re-protected or re-initialized with the new certificate. It is therefore recommended to prepare for the update process and have ample time available to update all endpoints.
C:\Program Files\Sophos\Enterprise Console\
C:\Program Files (x86)\Sophos\Enterprise Console\
.\ServerInit –logpath "$env:temp" –installpath "C:\Program Files\Sophos\Enterprise Console\"
ServerInit –logpath "$env:temp" –installpath "C:\Program Files (x86)\Sophos\Enterprise Console\"
.\CreateInitFile -filepath "C:\Program Files\Sophos\Enterprise Console" -srcfile "C:\Program Files\Sophos\Enterprise Console\srcinit.conf" -logpath "$env:temp" -installpath "C:\Program Files\Sophos\Enterprise Console"
.\CreateInitFile -filepath "C:\Program Files (x86)\Sophos\Enterprise Console" -srcfile "C:\Program Files (x86)\Sophos\Enterprise Console\srcinit.conf" -logpath "$env:temp" -installpath "C:\Program Files (x86)\Sophos\Enterprise Console"
Note: If the system configuration includes message relays, please refer to the knowledge base article 14635 for the additional changes steps regarding cac.pem and mrinit.conf in such a setup.
C:\ProgramData\Sophos\Update Manager\Update Manager\CIDs\Sxxx\SAVSCFXP\
C:\Program Files\Sophos\Update Manager\
C:\Program Files (x86)\Sophos\Update Manager\
C:\Program Files\Sophos\Enterprise Console\SUMInstaller.
C:\Program Files (x86)\Sophos\Enterprise Console\SUMInstaller.
\Remote Management System\CertificationIdentityKeys\
\Remote Management System\\ManagementAgent\Private\
Method 1 – Re-protect the manged computers
Method 2 – Use the Endpoint Migration Utility
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable for us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.