SOTI Pulse Logo

Change Root Certificate of SOTI Mobicontrol On-Premise instance

YW
Yannick Weijenberg
Centric Netherlands BV

Hi,

Our on-premise server is still running on a SHA1 root certificate. Since Android 10 and higher must use a SHA2 certificate, we have to generate a new certificate. 

I need information on what the best situation is to change the root certificate without causing problems with the existing devices that are already enrolled.

How would this work?

4 years ago
Android
ANSWERS
N
NK
4 years ago

Hi,
Here's some more information of that: https://discussions.soti.net/kb/android-10-sha-1-deprecation/

Professional Services is recommended.

R
RRMOD@SOTI
4 years ago

Hi Yannick,

Thanks for posting in SOTI Central.

If your environment consists of only Andriod devices. Then, you can follow the process below to enroll Andriod 10 devices or upgrade the existing android devices.

  1. Upgrade your environment if needed click here to check the requirements
  2. Generate Mobicontrol SHA -2  Root Certificate in the Mobicontrol Administration utility, Certificates tab.
  3. Keep the Certificate their so that devices will learn about the new certificate.
  4. make sure all the devices check-in, after generating SHA 2- Root Certificate.
  5. Once all the devices check-in, Change the bindings , bind Root SHA 2 to DS and DSE.

Note: If you have any windows CE devices, you need to spin up a new Deployment server as windows CE devices won't work with SHA 2 2048 certificate.

It is strongly advised to create a support case (click here) and work with SOTI engineer who can examine your environment according to type of devices as if right process would not be followed  then it would have adverse consequences.

Also, if this post has helped you, I would request you to mark the particular comment as "is solution", so others may benefit from this information.

YW
Yannick Weijenberg
4 years ago

Hi,

I created a SHA256 certificate 1 year ago and just left it in the Administrator Tool. Is there any way to confirm on the devices that the 'new' certificate is known for the devices that already checked in?

R
RRMOD@SOTI
4 years ago (edited 4 years ago)

Hi Yannick,

If you had only Android devices on the web-console, once they check-in they automatically store the certificate on the device and learn the new certificate. Every android device on your web-console should have 2 certificates(SHA1 and SHA2) and you can confirm them via thumbprint available.

You can search the web-console for what devices have not checked in after the SHA2 certificate was generated to identify the devices that have not learned the new certificate,
With android devices once they check-in they automatically store the certificate on the mobicontrol agent and learn the new certificate. With apple devices you need to push the certificate to the devices in a profile.

Also, if this post has helped you, I would request you to mark the particular comment as "is solution", so others may benefit from this information.

MB
Marcus Breitenthaler
4 years ago

HI Yannick,

one Additional Question.

Are you unsing Devices that can only work with an SHA1 Certificate?

Like Windows Mobile or CE Scanners?

Similar Discussions