Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Deprecating SHA1 Certificates in System Center Operations Manager for UNIX/Linux Monitoring


View products that this article applies to.

The communication between System Center Operations Manager Management Server and the UNIX/Linux agents are secured with TLS/SSL. UNIX and Linux agents employ Server Authentication certificates (i.e. “agent certificates”) for the TLS/SSL channel and these certificates are signed by an Operations Manager Management Server’s “signing certificate.” As of System Center 2016 RTM, both agent certificates and signing certificates are generated with the sha1WithRSAEncryption signing algorithm. With System Center 2012 R2 Operations Manager UR12 and System Center 2016 Operations Manager UR2, use of SHA1 certificate would be deprecated with a default preference for SHA 256 certificate. Customers can now update and sign their certificates on currently deployed agents by following the below procedure.

1. Install SCOM 2012 R2 UR12 –  https://support.microsoft.com/en-us/help/3209587/system-center-2012-r2-om-ur12  (or) SCOM 2016 UR2 –  https://support.microsoft.com/en-us/help/3209591/update-rollup-2-for-system-center-2016-operations-manager

2. Import the UNIX/Linux Management packs for SCOM 2012 R2/SCOM 2016 UR2 –  https://www.microsoft.com/en-in/download/details.aspx?id=29696

3. Certificate can be updated from SHA1 to SHA 256 in one of the following ways

Option1:

Use the powershell script UpdateXplatCertificates.ps1. This when used without any parameters will update the certificate for all the agents.

.\UpdateXplatCertificates.ps1

This script can be downloaded from  here .

Option2:

To update the certificate for specific agents use the below command

.\UpdateXplatCertificates.ps1 -AgentsDisplayName “<Agent1>“,”<Agent2>”

Option 3:

Certificate can be updated through SCOM Console –

Console –> Monitoring –> UNIX/Linux Computers –> select the server.

 

On the right task pane under UNIX/Linux Computer Tasks there are two tasks that could be performed.

91307_image1.png

 

1. Verify Certificate Signature  – This task is used to verify the Signature algorithm of the agent’s signed certificate. This can be helpful in identifying SHA1 certificates that requires an update.On clicking Verify Certificate Signature you would get the below screen and the results.

91307_image2.png

91307_image3.png

         2. UNIX/Linux Update Certificate Task  – This task updates the certificate from SHA1 to SHA 256.Click the server you wish to update the certificate and click UNIX/Linux Update    Certificate Task in the task pane.      

91307_image4.png

 

91307_image5.png

 

Please note:

 Already existing certificate will not be invalidated or deleted. Once the customer updates the certificate for all their monitored servers, the old certificates should be manually deleted.

 Once SCOM 2012 UR12 or SCOM 2016 UR2 is installed, the SHA 256 certificate will be used by default for newly discovered servers.

 User would need to update the certificate the same way for high availably configuration too.

↑ Back to the top


Keywords: blog2kb, kbWordAuto, kbContentAuto, CI91307

↑ Back to the top

Article Info
Article ID : 4464237
Revision : 2
Created on : 9/14/2018
Published on : 9/14/2018
Exists online : False
Views : 569