This article is intended to provide basic information about Shavlik Protect console certificate and the first steps to troubleshoot issues thanks to the tool STMgmt.exe
Certificates information
When a Protect Console is installed for the first time, the installation process generates a public/private key pair and associates the public key with new a certificate named “ST Root Authority”. This certificate is added to the operating system as a Trusted Root Certification Authority for the Computer Account. The operating system stores the private key associated with this certificate in an encrypted state.
A “Console Certificate” is also created by generating another public/private key pair and associating the public key with a new certificate. In addition to the public key, the Console Certificate also contains details unique to the console (e.g. computer name/DNS name, etc). The Console Certificate is digitally signed by the “ST Root Authority” certification authority. The name of the Console Certificate is the Protect Console’s “ConsoleId” – a Globally Unique Identifier (GUID) having the form xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx, where x represents a hexadecimal digit (0-9a-f). The operating system stores the private key associated with the Console Certificate in an encrypted state.
Troubleshoot Console certificates issues
Protect ships with a tool called “STMgmt.exe”. This tool is useful for diagnosing and correcting various certificate issues that might arise when changes to the Protect Console’s environment occur.
Command: STMgmt.exe -test_console
STMgmt.exe supports a command known as “-test_console”. This command will inspect the current console configuration (relating to certificates) and provide feedback indicating which tests passed or failed. If a user executes the command “STMgmt.exe -test_console” after Protect has been installed, a successful installation will indicate that all tests have passed.
Command: STMgmt.exe -reissue_console
Changing the console’s computer name or domain membership after Protect has been installed introduces a discrepancy between the computer’s new name/DNS name and the Console Certificate that was issued prior to the change. STMgmt.exe supports a command known as “-reissue_console”. This command will replace the existing Console Certificate with a new certificate that contains the correct, updated information.
After executing the “-reissue_console” command, run the “-test_console” command to confirm that all the tests passed.
If “-reissue_console” fails with Keyset does not exist
If the Protect Console has been installed as part of a disk image that is used for deployment, often part of the deployment process involves generating a new unique Windows Security Identifier (SID) for each system that is cloned from the disk image. The value of the SID is factored into the operating system’s algorithm for decrypting the private keys of certificates it secures. After the SID has been changed, the operating system can no longer access the private keys for certificates and will produce the Keyset does not exist error when attempting to use the “-reissue_console” command.
To resolve this situation, a new public/private key pair must be generated for both a new “ST Root Authority” and a new “Console Certificate”
STMgmt.exe could be found in the folder :
C:\Program Files (x86)\VMware\vCenter Protect (vCenter Protect Advanced v8.x)
C:\Program Files\LANDesk\Shavlik Protect (Shavlik Protect v9.x)