How to troubleshoot a missing or deleted core certificate

Version 7

    Verified Product Versions

    LANDESK Management Suite 9.5LANDESK Management Suite 9.6LANDESK Management Suite 2016.x

    Issue

     

    How to troubleshoot a missing or deleted core certificate.

     

    If the certificate that is being used by the core server is deleted or overwritten, the following error may appear.

     

    Attempting to activate core and got error message "Unable to build the core server activation file."

     

    A number of other problems may occur such as web console and 32bit console not working or even loading.

     

    This can also cause the "Unable to validate the current user with the database" error in the web console.

     

    You can have an issue with remote control if SsSL is not working because the client cannot open;

     

    https://{Core_Server_Name}/LANDesk/ManagementSuite/Core/SSL/remotecontrol/RemoteControlService.asmx

     

    Message when attempting to remote control:

     

    Unable to find the remote control web service on [CORENAME].

     

    Troubleshooting

     

    In some cases deleting the certificate has resulted in a necessary core rebuild. Before falling back to that check to see if an old certificate exists or if there is a backup certificate. If so then follow the steps below.

     

     

    Registry

    The name of the cert created on install is referenced in the following registry key.

    HKLM|Software|LANDesk|ManagementSuite|Setup|CertName This file needs to exist in the \Program Files\LANDesk\Shared Files\Keys.

    - For the activation process to work properly the original .crt and .key file have to be present in the \Program Files\LANDesk\Shared Files\Keys folder. If it does not but a backup key exists here, modify the registry key to point to the other key.

    - The <hash>.0 public key is also in the C:\Program Files\LANDesk\ManagementSuite\ldlogon folder and needs to be there by default.


    IIS

    If there is an existing certificate but it is not correct then do the following:

     

    1. Open up IIS manager
    2. View the default website properties
    3. Click directory security

     

    If the view certificate box is gray then the cert is not installed. Follow below.

     

    Install the certificate by doing the following:

     

    1. Click server certificate
    2. Next
    3. Assign existing / next (remove existing if the current one is bad)
    4. Click on the appropriate cert / next
    5. ssl port set to 443 / next next / finish.

     

    If the certificate does not show up under existing certificates do the following

     

    1. Click Start / Run, type mmc, then press enter.
    2. Click File / Add/Remove Snap-in, Add, Certificates, Add, Computer Account, Finish, close the add-in window, then click OK.
    3. Open the protect.ini file on the core (LANDesk\Shared Files\keys) and note the hash.
    4. Find the .0 file in the same folder that matches the hash from the protect.ini.  Open the .0 file and note the name of the key.
    5. Back in the mmc window, drill down into Trusted Root Certificates/Certificates and find the name of the key from the previous step.  Right click on it and drag it to the Personal\Certificates\ folder and click on copy.
    6. Run the following command from a commands prompt in the ManagementSuite folder.
      • securewebsiteinstall.exe "cert name" landesk/managementsuite/core/ssl
      • securewebsiteinstall.exe "cert name" landesk/managementsuite/core/ssl/remotecontrol
      • securewebsiteinstall.exe "cert name" landesk/managementsuite/core/ssl/information

     

    If the wrong cert is installed or it is pointing to a cert that does not exist.

     

    1. Click server certificate
    2. Next
    3. Remove existing cert
    4. Click ok

     

    Install the backup certificate by doing the following:

     

    1. Click server certificate
    2. Next
    3. Assign existing / next (remove existing if the current one is bad)
    4. Click on the appropriate cert / next
    5. ssl port set to 443 / next
    6. next / finish.

     

     

    Check to see if the certificate has a private key associated with it.

     

    1. In IIS right click on Default Website and click Properties
    2. Click on the Directory Secutiry tab
    3. Click View Certificate
    4. At the bottom of the general tab it should say
    5. You have a private key that corresponds to this certificate."

     

    If you do not have a private key associated then do the following:

     

    On the Core server:

     

    1. Click Start, click Run, type mmc,and then click OK.
    2. On the File menu, click Add/Remove Snap-in.
    3. In the Add/Remove Snap-in dialog box, click Add.
    4. Click Certificates, and then click Add
    5. In the Certificates snap-in dialog box, click Computer account, and then click Next.
    6. In the Select Computer dialog box, click Local computer: (the computer this console is running on), and then click Finish.
    7. Click Close, and then click OK.

      (if the certificate exists in "Console Root | Certificates | Personal | Certificates" then skip to step 14)

    8. In the Certificates snap-in, expand Certificates, right-click the Personal folder, point to All Tasks, and then click Import.
    9. On the Welcome to the Certificate Import Wizard page, click Next.
    10. On the File to Import page, click Browse.
    11. In the Open dialog box, click the new certificate, click Open, and then click Next.
    12. On the Certificate Store page, click Place all certificates in the following store, and then click Browse.
    13. In the Select Certificate Store dialog box, click Personal, click OK, click Next, and then click Finish.
    14. In the Certificates snap-in, double-click the imported certificate that is in the Personal folder.
    15. In the Certificate dialog box, click the Details tab.
    16. Click Serial Number in the Field column of the Details tab, highlight the serial number, and then write down the serial number.
    17. Click Start, click Run, type cmd, and then click OK.
    18. At the command prompt, type the following:
    19. certutil -repairstore my "SerialNumber"

     

    Note: SerialNumber is the serial number that you wrote down in step 16.