Upgrading server security certificates without orphaning clients

Article:HOWTO55357  |  Created: 2011-06-29  |  Updated: 2011-12-16  |  Article URL http://www.symantec.com/docs/HOWTO55357
Article Type
How To


Subject


Upgrading server security certificates without orphaning clients

When clients use secure communication with the server, a digitally signed security certificate is exchanged between the clients and the server. This exchange establishes a trust relationship between the server and clients. When the certificate changes on the server, the trust relationship is broken and clients no longer can communicate. This problem is called orphaning clients.

Note:

Use this process to update either one management server or multiple management servers at the same time.

Table: Updating server-client certificates lists the steps to upgrade the certificate without orphaning the clients that the server manages.

Table: Updating server-client certificates

Step

Task

Description

1

Disable policy signature verification

Disable secure communications between the server and the clients.

See Configuring secure communications to prevent clients from being orphaned.

2

Wait for all clients to receive the updated policy

Depending on the number of managed clients connecting to the server, the process of deploying the updated policy may take a week or longer. Large installations may require several days to complete the process because the managed computers must be online to receive the new policy. Some users may be on vacation and their computers are offline.

3

Update the server certificate

See Updating a server certificate.

If you migrate or update the management server, perform the server migration.

See Migrating a management server.

4

Enable policy signature verification

Reenable secure communications between the server and the clients by repeating step 1 and checking Enable secure communications between the management server and clients by using digital certificates for authentication.

5

Wait for all clients to receive the updated policy

It may take a week or longer to update all clients.

6

Restore replication relationship (optional)

If the server you updated replicates with other management servers, restore the replication relationship.

See Turning on replication after migration or upgrade.


Legacy ID



v57845489_v59371754


Article URL http://www.symantec.com/docs/HOWTO55357


Terms of use for this information are found in Legal Notices