Update/change client certificates after migration

[puff 1]

I recently migrated Remote Administrator to a virtual appliance and during the migration I changed the server certificate to match the old server's certificate (following this guide). Now I would like to update all of my agents to use the new client certificate that was created during the virtual appliance install. I know I can change the agent's certificate by applying a new policy. My question is do I update all the agent's certificates first and then change the server certificate or the other way around? I don't want to break the communication between my agents and the server by changing the certificates in the wrong order.

Thanks!

[MartinK 378]

In this case of migration, you have to ensure two things:

1. SERVER must be able to verify new AGENT certificates. This requires SERVER to have access to CA certificate that was used to sign new AGENT certificates. In case certificates were generated during installation of ERA, CA certificate should be automatically available, and thus nothing has to be done for this part. I guess you have currently both old and new CA certificates in ERA, and that is why SERVER can verify (trusts) both old and new AGENT certificates.
2. AGENT must be able to verify new SERVER certificate. For this, AGENT has access to new CA certificate used to sign new SERVER certificate. In case this CA certificate is present in ERA, connecting AGENT will automatically receive it. Problem is with AGENT that has not connected since you created or imported CA certificate.

Before you change SERVER certificate, you have to be sure that all AGENTs has access to new CA certificate mentioned in [2]. That is why I would recommend to start with changing AGENT certificate first, and on limited number of clients, ideally acessible for case manual repair of AGENT installation will be required. Once this will work, distribute new AGENT certificate to all clients. In case AGENT has already applied new certificate (and reported it to ERA), AGENT will have also access to new CA certificate. What you have to be aware is that AGENTs that has not successfully connected since you created new CA certificate, won't be able to connect to ERA anymore, and otherwise changing SERVER certificate back to old one, or AGENT installation repair will be required (or possibly also importing new CA certificate into AGENT system certificate store in case AD is used).

[puff 1]

Got it. The new agent certificate, new server certificate, and new CA were all created during installation of the virtual appliance. That was a couple of months ago so I'd imagine all agents should have the required CA, but I'll start with a small group to test it and roll it out in sections until all the agents are updated, then change the server certificate last.

Thanks for your help!