locked
Changing ATA Site SSL Cert RRS feed

  • Question

  • I installed ATA with the self signed certs as i was having trouble getting it to work.  Now that I have it working i want to put a real cert on the management site.  What is needed to complete this?  

    Do i simply go to iis and change the cert?  

    Do i also need to change it in the configuration page where it references it by ip address?

    When i do that, do i need to redeploy / update the gateways?  

    I am on 1.6 as of an hour ago.  Please reference the version number you are familiar with in your responses.  I would imagine that they are the similar if not identical but i want to be sure we are on the same page.  

    Friday, May 6, 2016 2:36 AM

All replies

  • Can you see this KB : https://docs.microsoft.com/fr-fr/advanced-threat-analytics/deploy-use/modifying-ata-config-centercert

    Thanks

    Friday, May 6, 2016 8:56 AM
  • Can you see this KB : https://docs.microsoft.com/fr-fr/advanced-threat-analytics/deploy-use/modifying-ata-config-centercert

    Thanks

    I read this but one of two things is true.  It is either not written very clearly or i am not smart enough to follow what it is trying to say haha.  

    First stage says to update the cert that it is trying to use.  huh?  Then it says that the old cert is still in use but the gateways will sync their config and will have two potential certs that they can use for mutual auth.  I dont understand that at all.  Is it saying that the gateways will just auth to the service cert and not the one in IIS?  Are they talking about Updating the cert in IIS?  

    Friday, May 6, 2016 12:59 PM
  • Hello,

    There are two certificates in the ATA Center.

    The ATA Center certificate (for communication between ATA Gateways and ATA Center). 

    To change the ATA Center certificate, please follow the below link:

    https://docs.microsoft.com/advanced-threat-analytics/deploy-use/modifying-ata-config-centercert

    The other certificate is the ATA Console certificate (used by IIS for the ATA Management site).

    To change the ATA Console certificate, please follow this link:

    https://docs.microsoft.com/advanced-threat-analytics/deploy-use/modifying-ata-config-consoleip

    Hope this clarify the issue.

    Microsoft ATA Team.

    Sunday, May 8, 2016 10:32 AM
  • maybe it was a bug in 1.5 but since the 1.6 upgrade i was able to change the cert with no issues.  Thanks.  
    Monday, May 9, 2016 1:08 PM
  • 2nd link is dead
    Tuesday, October 25, 2016 7:50 PM
  • ATA v1.7 Use only one certificate as IIS is no longer used for the management console and the ATA center Service is used for both the console and communication with the ATA Gateways.
    Tuesday, October 25, 2016 7:57 PM
  • I'm having trouble issuing the correct kind of cert, I've issued a few and they all say "not compatible" . Where can I find the specifications for the cert?
    Tuesday, October 25, 2016 8:42 PM
  • you cant use the auto assigning domain cert in iis to request a cert if that is what you are doing.  You are likely picking or getting a 1024 bit cert and a 2056 is required.  That is what marks them as not compatible.  

    Hope that helps


    NNatic

    Wednesday, October 26, 2016 12:58 AM
  • I checked and am issuing a cert with key length 2048 and intended purpose: Server Authentication. Still in gateway says "not supported", any idea why not?
    Wednesday, October 26, 2016 7:24 PM
  • Can someone share how they are making the cert?

    And does anybody know what the cert is used for...if it's not used for IIS?


    http://www.dreamension.net

    Thursday, October 27, 2016 5:35 AM
  •    Certificate must have a private key
        Certificate must be CSP
        The certificate's public key length is 2048 bit

    In my cert template on my CA I had to enable the option for the private key to be exportable


    I have it on good authority that if you type Google into Google you will bring down the internet...

    Tuesday, February 21, 2017 5:58 PM