After upgrading to R14sp1, why are new agents are not working on ENC ?

Document ID : KB000012860
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

CA Client automation uses ENC to allow machines that are outside of your network to contact the Domain Manager and Scalability without having to VPN into your network.

Question:

After upgrading to R14sp1, why are new agents are not working on ENC ?

Environment:
CA Client Automation - All Versions
Answer:

ENC uses certificates to authenticate between clients. 

The encryption version of the certificates HAVE to match for the clients to be able to talk to each other.

All version before R14sp1 used SHA1 with 1024 bit key as the default encryption for ENC certificates. 

R14sp1 uses SHA2 with 2048 bit key as the Default encryption for ENC certificates.

 

R14sp1 can run without any problems using SHA1 1024 encryption key, so I would leave at that until R14sp2 comes out.

 

If you want R14sp1 ENC clients to be able to talk to Previous version ENC clients you will need to create and import SHA1 1048 bit certs.

To figure out what version of cert you are using

Either Double-Click on the cert.der

or Open MMC > Add/Remove Snap-In > Certificates > Computer Account > Personal > Certificates 

Go to the Details Tab and look at the following Lines:

Signature hash algorithm  - This is the SHA version, for example:  sha1   

Public key -                            This is the bit strength, for example:  RSA(1024 Bits)

                

  mmc.jpg

 

If you have already created the certs, then  you will need to delete the certs with the WRONG configuration.

Either go into the Windows certstore or use the following command:

 certutil -delstore My <cert_name>

 

Then you will need to create and Import the new script:

cacertutil create -o:"%cd%\%computername%.p12" -op:<password> -s:cn=%computername% -d:-1 -i:"%cd%\root.p12" -ip:<password> -od:"%cd%\%computername%.der" -k:1024 -xsan:%computername%.ca.com -ac -as -ae -dt:SHA1

The 2 new additional parameters that need to be added are:

-dt:SHA1   

-k:1024

 

The next release of CA Client Automation(R14sp2) is suppose to allow the ENC Gateway(MSR) server to be able

to support multiple certs, which allow the customer to install SHA2 2048 certs and SHA1 1024 certs

on the ENC Gateway Server(MSR), and then they can slowly move all the clients to the new certification method.