Test And Renew Patch For Windows Console Certificates

Version 15



    This article is intended to provide basic information about Patch for Windows console certificate and the first steps to troubleshoot issues thanks to the tool STMgmt.exe





    Certificates information


    When a Protect Console is installed for the first time, the installation process generates a public/private key pair and associates the public key with new a certificate named “ST Root Authority”. This certificate is added to the operating system as a Trusted Root Certification Authority for the Computer Account. The operating system stores the private key associated with this certificate in an encrypted state.


    A “Console Certificate” is also created by generating another public/private key pair and associating the public key with a new certificate. In addition to the public key, the Console Certificate also contains details unique to the console (e.g. computer name/DNS name, etc). The Console Certificate is digitally signed by the “ST Root Authority” certification authority. The name of the Console Certificate is the Protect Console’s “ConsoleId” – a Globally Unique Identifier (GUID) having the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, where x represents a hexadecimal digit (0-9a-f). The operating system stores the private key associated with the Console Certificate in an encrypted state.





    Troubleshoot Console certificates issues


    Protect ships with a tool called “STMgmt.exe”. This tool is useful for diagnosing and correcting various certificate issues that might arise when changes to the Protect Console’s environment occur.


    This tool is located in the installation path of the product program files and by default resides in C:\Program Files\LANDESK\Shavlik Protect.


    Command: STMgmt.exe -test_console


    STMgmt.exe supports a command known as “-test_console”. This command will inspect the current console configuration (relating to certificates) and provide feedback indicating which tests passed or failed. If a user executes the command “STMgmt.exe -test_console” after Protect has been installed, a successful installation will indicate that all tests have passed.


    Command: STMgmt.exe -renew_console


    Changing the console’s computer name or domain membership after Protect has been installed introduces a discrepancy between the computer’s new name/DNS name and the Console Certificate that was issued prior to the change. STMgmt.exe supports a command known as “-renew_console”. This command will replace the existing Console Certificate with a new certificate that contains the correct, updated information.

    After executing the “-renew_console” command, run the “-test_console” command to confirm that all the tests passed.


    If “-reissue_console” fails with Keyset does not exist


    If the Protect Console has been installed as part of a disk image that is used for deployment, often part of the deployment process involves generating a new unique Windows Security Identifier (SID) for each system that is cloned from the disk image. The value of the SID is factored into the operating system’s algorithm for decrypting the private keys of certificates it secures. After the SID has been changed, the operating system can no longer access the private keys for certificates and will produce the Keyset does not exist error when attempting to use the “-reissue_console” command.

    To resolve this situation, a new public/private key pair must be generated for both a new “ST Root Authority” and a new “Console Certificate”


    Command: STMgmt.exe -root


    ST.ServiceHost log shows SSL/TLS errors :


    Could not establish trust relationship for the SSL/TLS secure channel with authority


    This indicates the remote certificate is invalid according to the validation procedure.


         1. Open a command prompt and run the following commands:

    • stmgmt.exe -root
    • stmgmt.exe -console_installation -id"consoleID"
      • For example: stmgmt.exe -console_installation -id"3abcd297-b2f4-4eb8-9c57-19c9d09650b8"
      • The consoleID is locate in the C:\Program Files\LANDesk\Shavlik Protect\STEnvironment.config (search for 'consoleID')

         2. Restart the Protect services and verify the issue has been corrected.



    Additional Information

    How to update Root Certificate information: Correcting Issues Caused by out of Date Root Certificates

    Managing certificates (exporting, importing, copying): Managing Certificates : Exporting, Importing & Copying



    Affected Products

    Ivanti Patch for Windows 9.x

    Shavlik Protect 9.2