4.2 Reconfiguring the Certificate Authority before and after it Expires

ZENworks prompts you to change your ZENworks Certificate Authority (CA) 90 days before the expiration of the certificate. The following warning message is displayed for each administrator once every 24 hours after the administrator logs in to ZENworks Control Center:

The Zone CA will expire in number_of_days days.

The above warning message is displayed for each administrator for every login when the expiry is below five days.

To re-create the zone certificate before it expires, review the following scenarios:

IMPORTANT:If you do not change your zone certificate before it expires, the communication between Primary Servers and managed devices breaks down, and the managed devices fail to receive new assignments and policies. To reestablish the communication, you must re-create the certificate.

4.2.1 Changing the CA to Internal

If you want to replace the internal or external server certificate of your Linux Primary Server, then you can choose to replace the certificate with a new internal server certificate.

  1. If the current CA is internal, see “Reminting the Certificate Authority” or Changing the CA to Internal in the ZENworks SSL Management Reference.

    If the current CA is external, see Changing the CA to Internal in the ZENworks SSL Management Reference.

  2. (Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.

    For more information about unprovisioning and provisioning Intel AMT devices, see Configuring Intel AMT Devices in Enterprise Mode in the ZENworks Out-of-Band Management Reference.

  3. (Conditional) If multizone is configured, and the Publisher’s certificate is changed, then update the new certificate of this server for all its Subscribers. Perform the following to update the new certificate:

    1. Log in to ZENworks Control Center (ZCC) of subscribers.

    2. Navigate to Subscribe And Share > Subscriptions > <subscription_name> > Remote Server > Update Certificate.

    3. Update the certificate.

4.2.2 Changing the CA to External

If you want to replace the internal or external server certificate of your Linux Primary Server, then you can choose to replace the certificate with a new external server certificate.

  1. To change the CA to external, see in Changing the CA to External in the ZENworks SSL Management Reference.

  2. (Conditional) If your zone includes Intel AMT devices, unprovision and provision the devices.

    For more information about unprovisioning and provisioning Intel AMT devices, see Configuring Intel AMT Devices in Enterprise Mode in the ZENworks Out-of-Band Management Reference.

  3. (Conditional) If multizone is configured, and the Publisher’s certificate is changed, then update the new certificate of this server for all its Subscribers. Perform the following to update the new certificate:

    1. Log in to ZENworks Control Center (ZCC) of subscribers.

    2. Navigate to Subscribe And Share > Subscriptions > <subscription_name> > Remote Server > Update Certificate.

    3. Update the certificate.

4.2.3 Additional Information

If the mobile devices in your zone are connected to the network during the system update process (as a part of the Remint CA or Change CA operation), then the new MDM server certificate is issued to these devices. The devices will communicate with the Primary Server using this new certificate.

However, if certain mobile devices are offline during the system update process, then based on the stage at which these devices were offline, you need to perform the relevant action:

  • If the devices are offline at the Update Assigned stage and the CA activation date has passed: The devices have to be re-enrolled so that they can continue to communicate with the Primary Server using the new certificate.

  • If the devices are offline at the Pending Certificate Activation stage and the CA activation date has passed: No action needs to be performed. As soon as the devices are connected to the network, the new MDM server certificate is issued to the devices. The devices will communicate with the Primary Server using this new certificate.