Shavlik Protect Console Certificates

Version 13

    Purpose

     

    This article is intended to provide basic information about Shavlik Protect console certificate and the first steps to troubleshoot issues thanks to the tool STMgmt.exe

     

    Symptoms

     

    Certificates information

     

    When a Protect Console is installed for the first time, the installation process generates a public/private key pair and associates the public key with new a certificate named “ST Root Authority”. This certificate is added to the operating system as a Trusted Root Certification Authority for the Computer Account. The operating system stores the private key associated with this certificate in an encrypted state.

     

    A “Console Certificate” is also created by generating another public/private key pair and associating the public key with a new certificate. In addition to the public key, the Console Certificate also contains details unique to the console (e.g. computer name/DNS name, etc). The Console Certificate is digitally signed by the “ST Root Authority” certification authority. The name of the Console Certificate is the Protect Console’s “ConsoleId” – a Globally Unique Identifier (GUID) having the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, where x represents a hexadecimal digit (0-9a-f). The operating system stores the private key associated with the Console Certificate in an encrypted state.

     

    Resolution

     

    Troubleshoot Console certificates issues

     

    Protect ships with a tool called “STMgmt.exe”. This tool is useful for diagnosing and correcting various certificate issues that might arise when changes to the Protect Console’s environment occur.

     

    This tool is located in the installation path of the product program files and by default resides in C:\Program Files\LANDESK\Shavlik Protect.

     

    Command: STMgmt.exe -test_console

     

    STMgmt.exe supports a command known as “-test_console”. This command will inspect the current console configuration (relating to certificates) and provide feedback indicating which tests passed or failed. If a user executes the command “STMgmt.exe -test_console” after Protect has been installed, a successful installation will indicate that all tests have passed.

     

    Command: STMgmt.exe -renew_console

     

    Changing the console’s computer name or domain membership after Protect has been installed introduces a discrepancy between the computer’s new name/DNS name and the Console Certificate that was issued prior to the change. STMgmt.exe supports a command known as “-renew_console”. This command will replace the existing Console Certificate with a new certificate that contains the correct, updated information.

    After executing the “-renew_console” command, run the “-test_console” command to confirm that all the tests passed.

     

    If “-reissue_console” fails with Keyset does not exist

     

    If the Protect Console has been installed as part of a disk image that is used for deployment, often part of the deployment process involves generating a new unique Windows Security Identifier (SID) for each system that is cloned from the disk image. The value of the SID is factored into the operating system’s algorithm for decrypting the private keys of certificates it secures. After the SID has been changed, the operating system can no longer access the private keys for certificates and will produce the Keyset does not exist error when attempting to use the “-reissue_console” command.

    To resolve this situation, a new public/private key pair must be generated for both a new “ST Root Authority” and a new “Console Certificate”

     

    Command: STMgmt.exe -root

     

    ST.ServiceHost log shows SSL/TLS errors :

     

    Could not establish trust relationship for the SSL/TLS secure channel with authority

     

    This indicates the remote certificate is invalid according to the validation procedure.

     

         1. Open a command prompt and run the following commands:

    • stmgmt.exe -root
    • stmgmt.exe -console_installation -id"consoleID"
      • For example: stmgmt.exe -console_installation -id"3abcd297-b2f4-4eb8-9c57-19c9d09650b8"
      • The consoleID is locate in the C:\Program Files\LANDesk\Shavlik Protect\STEnvironment.config (search for 'consoleID')

         2. Restart the Protect services and verify the issue has been corrected.

     

    Additional Information

     

    How to update Root Certificate information: Correcting Issues Caused by out of Date Root Certificates

    Managing certificates (exporting, importing, copying): Managing Certificates : Exporting, Importing & Copying