Expired client cert, besclient.exe -update-certificate not working

straffin 2023-09-22 18:13:11 UTC #1

We’ve got a computer that has an expired certificate and the besclient.exe -update-certificate command isn’t working. Are the results of that command logged anywhere? Or is there a “verbose” mode?

(The local IT has already uninstalled and re-installed the Agent, so there will be no troubleshooting this one.)

MatthiasW 2023-09-22 19:09:02 UTC #2

Indeed we have similar issue one a very Limited number of clients. We are still in analyse with Support.

MatthiasW 2023-09-25 08:32:24 UTC #3

We have now followed the procedure https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Console/Re-registeringRevokedClient.html#Re-registeringRevokedClient.
One issue with this procedure is that the client gets a new id which is a fact I do not really like.

To have a more verbose information I assume setting client debug logging could be helpful.

JasonWalker 2023-09-25 12:33:47 UTC #4

Interested in how this is happening.

Were the clients disconnected/offline for a long period and did not renew their certs?
Were they deleted from the console and/or audit trail cleaner run?
Were their certificates revoked from the console?

straffin 2023-09-25 14:15:11 UTC #5

Most likely the first one… offline for a long time (or, at least, during the certificate update window). We took no console actions against the device.

aginestr 2023-09-25 14:18:20 UTC #6

Hello @straffin, was the computer with the expired certificate connected to an Authenticating Relay? If so, the procedure to follow to update the certificate is documented at the following link: https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/c_client_certificate.html#c_client_certificate__section_mzf_2x2_vtb. If you followed the documented procedure and it didn’t work, then this would need to be further investigated by HCL Support, so next time I would suggest to open a support case. In general, useful debug info for that kind of issue can also be obtained on Relay side by enabling related verbose logging before running the command.

aginestr 2023-09-25 14:21:36 UTC #7

Hello @MatthiasW, for computers with revoked certificates the fact that they get a new ID is expected, while this is not expected when updating an expired certificate.