Start a conversation

DCE certificate

Seems we have found out the issue and it is related to DCE certificate pinning….

 

In ControlSuite 1.0 the Equitrac services stored their certificates in the user's certificate store and created them if they did not exist.  In ControlSuite 1.1 the certificates are created by the ConfigAssistant and are stored in the local machine certificate store.  The certificate was not automatically moved because the CA can run as a different user than the Equitrac services and would not have access to the certificate store to migrate the certificate.

Some embedded clients that communicate with DCE (for example Ricoh Unified Client 1.1 / PCC 5.1) use certificate pinning.  As a result, when a new Equitrac certificate from within the Configuration Assistant as part of an upgrade, such clients no longer will be able to communicate with DCE until they are reinstalled.

To allow DCE clients that use certificate pinning to continue work with DCE after upgrading, without reinstalling the client, take the following steps during an upgrade:

  • Export the original DCE certificate together with its private key
    • log on as the user that the Equitrac services were configured to run as prior to the upgrade
    • run Microsoft Management Console (mmc), add the certificates snap-in configured "My user account"
    • browse to the Equitrac-Shared/Certificates folder
    • On the self-signed certificate found there, right-click and choose "All Tasks->Export"
    • export the certificate together with its private key to password-protected a pfx file
  • In Configuration Assistant, instead of generating a new Equitrac certificate, import the certificate from the pfx file created above

Ideally, the above steps should be performed during an upgrade so that DCE will continue using the same certificate as before the upgrade.  If these steps are performed later to change the Equitrac certificate back to the original then the Equitrac services will need to unenrolled, re-enrolled then restarted after updating the certificate.  (These steps also can be performed using Configuration Assistant.)

 

This workaround was listed in CS 1.1 Fix Pack 2 readme file. I am exploring if this can be inserted into the CS 1.1 Release Notes. In addition we are discussing how and when this can be resolved in a future release of ControlSuite, but it is too late to include in Fix Pack 5.

Choose files or drag and drop files
Was this article helpful?
Yes
No
  1. Joakim Johansson

  2. Posted

Comments