Replacing Ssl Certificates In An Existing Environment; Installing Full Disk Encryption Certificates - Check Point HARMONY R81 Administration Manual

Replacing SSL Certificates in an Existing Environment

We recommend that you implement the new SSL certificates gradually. After an SSL
certificate is replaced on a server, clients who do not have the related CA certificate will not be
able to send SSL messages (for example, Full Disk Encryption blade payloads and Audit logs)
to that server.
To replace SSL Certificates in an existing environment:
1. Import a new CA certificate.
2. Import a new SSL certificate for each server.
3. Use Push Operations to push the new CA certificate to a small OU or group of devices.
A device will report the push operation at 20% with this message: CA certificate
received by Endpoint. This occurs when it has downloaded new CA certificate and is
trying to find a server with an SSL certificate signed by same CA.
4. Install the new SSL certificate on one of the servers accepting clients.
5. Wait for all of the clients' Push Operation status to be completed.
6. Repeat step 2 to gradually migrate more servers to new SSL certificates.
Repeat steps 3-5 to migrate more clients.
Do the procedures on the primary and secondary servers last.

Installing Full Disk Encryption Certificates

To install a Remote Help or an Unlock on LAN certificate:
1. Open SmartEndpoint.
2. In the Users and Computers tab, select the Entire Organization folder, and click
Manage Certificates.
3. Click the Manage button next to Remote Help Certificate or Unlock on LAN Certificate.
4. Select the Remote Help or Unlock on LAN certificate and click Assign.
5. A message shows, asking if you would like to install the policy now. Click Yes or No.
6. If you clicked Yes to install the policy, a message shows that all changed data must be
saved. Click Yes to save changes and continue.
7. Click Install.
External PKI Certificates for Client-Server Communication
R81 Harmony Endpoint Server Administration Guide | 33