Step 3: Commit the New Sub-Authority Certificate
Automatic commit process
If you have agents and everything has gone according to plan, after 30 days all of your agents should have checked in, received the new certificate and the system will have automatically committed to the new sub-authority certificate. See the section below titled What happens after the commit is issued? for more information.
Manual commit process
You may choose to manually issue the commit command for the following reasons:
•If you do not have agents, you can manually force the commit without waiting for 30 days.
•If there are agents and the system has not automatically committed to the new certificate after 30 days (or as defined by Security Controls internal optimization from the maintenance task), evaluate why the commit has not occurred.
Stmgmt.exe -commit_authority will tell you which machine names it expects to fail when you perform the commit.
There are a number of outstanding issues, errors or warnings that may have occurred that are preventing the commit from happening automatically. The most likely reason is an agent-related problem, such as one or more orphaned agents that have not checked in (and never will). Your options are to (1) figure out a way to get those agents to check in, (2) delete the machines from Machine View, (3) flag the machines to uninstall their agents (even if a machine never checks in to receive the uninstall command, the fact that Security Controls has indicated that the agent should be uninstalled is enough to get past the error/issue with that machine), or (4) you can manually issue the commit and permanently orphan those agent machines.
You can use the test mode in the commit_authority command to tell you about potential problems with performing the commit. The command is: stmgmt.exe -commit_authority -test
By analyzing this information you can make an educated decision on whether to perform the commit. In some circumstances you may choose to force the commit and purposely orphan certain problem machines.
To force the commit
Use the following command: stmgmt.exe -commit_authority -force
If you force the commit and you do have agents that haven't checked in that you want to keep, you will need to reinstall the agent on those machines (the agent will be unable to use the configuration information created by the console and will most likely fail to check in).
What happens after the commit is issued?
When the commit command is issued, the system will stop using the original self-signed certificate and will begin using the new sub-authority certificate. In particular, the following actions will occur:
•A new console certificate will be automatically issued from the sub-authority certificate and saved to the computer account's Personal store on the console machine.
•A new agent certificate will be automatically issued whenever a new agent is installed or when an existing agent's certificate needs to be reissued. The process should have very little affect on your network performance.