Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 18 replies
  • Subscribers 1 subscriber
  • Views 19191 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Enterprise console4.5/client9.5 - all PCs greyed out and won't report back, Help please!!

Sophosfan1

I had to reinstalled the console and it assigned itself a new certificate which was different to all the certificates on the existing clients. (I was unable to backup) when I reprotected the clients from the new console it does not automatically dish out a new certificate.

How do I distribute the new certificate?

Note: We have far too many computers to reinstall Sophos on. Plus many remote users :(

Cheers

:8665


This thread was automatically locked due to age.
Parents
  • 0

    No problem, please let me know if it works out as I'm sure it could be useful for a few customers with a certification mismatch.

    I thought about adding an additonal variable so it only ran on machines that had a mismatch. I.e.  Have a variable at the top called for example: strCorrectRouterIdentityKey, e.g.

    strCorrectRouterIdentityKey = "qRS2iIVb8f5Ql3Y1SwJgOpB5vU0="

    The user would add their value as taken from the server key:

    HKLM\Sophos\Certification Manager\CertAuthStore\RouterKey

    That way when it is run on a client it would check the value the client had against that, if it was different it would carry on and do a re-init, this way it would only run on clients with essentially a mismatched identity keys.  It's not the end of the workd if it does run on a working client, it just means they will request 2 new certificates and it shoudn't do this more than once as it sets a flag to say it completed ok and prevents subsequent runs (unless the -force switch is passed).

    TBH the script is at the limit of the size of a message I can post, so close is it that I had to remove some of the comments so a new function would push it over the edge.

    Well if you could try it on a couple of clients first to ensure it works, especially if you decide to add your cac.pem and mrinit.conf into the sctipt as variables as that's where it's most likely to go wrong that would be advisable.

    Thanks,

    Jak

    Update:
    The script below has the new variable:

    strRouterCertIdentityKey 

    if set, the script will exit if the client already has the same value to prevent ithe script running on machines which should be ok.  Either they were already ok or have already been fixed.  Just saves clients which should be ok requesting 2 new certificates.  Again running the script with -force will skip this check and re init the machine regardless.

    It should be set to contain the same string as found on the Sophos Managment server in the following key:

    HKLM\Software\[WOW6432NODE]\Sophos\Certification Manager\CertAuthStore\RouterKey

    I've left my value in the script to show what it should look like, again this will need to be updated, my string will not work for you :)

    This script now has quite a few configuration options, it almost needs a HTA/Script to Auto Configure the script per install!

    :8865
Reply
  • 0

    No problem, please let me know if it works out as I'm sure it could be useful for a few customers with a certification mismatch.

    I thought about adding an additonal variable so it only ran on machines that had a mismatch. I.e.  Have a variable at the top called for example: strCorrectRouterIdentityKey, e.g.

    strCorrectRouterIdentityKey = "qRS2iIVb8f5Ql3Y1SwJgOpB5vU0="

    The user would add their value as taken from the server key:

    HKLM\Sophos\Certification Manager\CertAuthStore\RouterKey

    That way when it is run on a client it would check the value the client had against that, if it was different it would carry on and do a re-init, this way it would only run on clients with essentially a mismatched identity keys.  It's not the end of the workd if it does run on a working client, it just means they will request 2 new certificates and it shoudn't do this more than once as it sets a flag to say it completed ok and prevents subsequent runs (unless the -force switch is passed).

    TBH the script is at the limit of the size of a message I can post, so close is it that I had to remove some of the comments so a new function would push it over the edge.

    Well if you could try it on a couple of clients first to ensure it works, especially if you decide to add your cac.pem and mrinit.conf into the sctipt as variables as that's where it's most likely to go wrong that would be advisable.

    Thanks,

    Jak

    Update:
    The script below has the new variable:

    strRouterCertIdentityKey 

    if set, the script will exit if the client already has the same value to prevent ithe script running on machines which should be ok.  Either they were already ok or have already been fixed.  Just saves clients which should be ok requesting 2 new certificates.  Again running the script with -force will skip this check and re init the machine regardless.

    It should be set to contain the same string as found on the Sophos Managment server in the following key:

    HKLM\Software\[WOW6432NODE]\Sophos\Certification Manager\CertAuthStore\RouterKey

    I've left my value in the script to show what it should look like, again this will need to be updated, my string will not work for you :)

    This script now has quite a few configuration options, it almost needs a HTA/Script to Auto Configure the script per install!

    :8865
Children
No Data
Unfiltered HTML