Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

How can I obtain replacements for the 3 SolarWinds certificates in IIS 7 (on W2K8 R2 server)?

Our SolarWinds server (W2K8 R2 on a VM) was flagged for vulnerabilities due to SHA encryption in the server certificates. There are 3 SolarWinds certificates all using SHA. One is named SolarWinds-Orion and is issued to SolarWinds-Orion. Another has no name and is issued to SolarWinds Agent Provision. The third also has no name, and is issued to SolarWinds Job Scheduler. I need to replace these SHA certificates with MD5 certificates. Can somebody provide step-by-step instructions or else links to where I can get this information?

Find more posts tagged with

Accepted answers

All comments

joe.tran

You should be able to use MakeCert.exe or New-SelfSignedCertificate cmdlet (only for Windows Server 2012) to generate a new cert with the desired algorithm and key length. As of a few Orion Core versions ago (2015), they included makecert.exe in the SolarWinds directory in Program Files.

Warning: Generating and using a new SolarWinds-Orion cert makes all saved credentials in Orion unusable! Make sure you have all those credentials backed up somewhere else and they all work! Including those saved in other Orion modules you have installed.

These instructions are only for the SolarWinds-Orion certification. The makecert.exe command I have listed below creates a SHA512 certificate with a key length of 2048-bits.

Delete the old SolarWinds-Orion certificate

From an elevated Command Prompt window, execute the following command:

"C:\Program Files (x86)\SolarWinds\Orion\makecert.exe" -r -pe -a "sha512" -n "CN=SolarWinds-Orion" -len 2048 -sr LocalMachine -ss My -sky exchange -eku 1.3.6.1.5.5.7.3.1

Execute the following query against your Orion database:

UPDATE ServerCertificates SET Replaced=GETUTCDATE() WHERE Replaced IS NULL

Run the Configuration Wizard
Re-enter all saved credentials in Orion.

As for the other two certs, I've never had to replace them and don't know for sure what the implications for trying to replacing them.

I would totally take snapshots of your entire SolarWinds environment before doing any of this .

jiri.tomek

Hello,

do you really want to replace SHA certificates with MD5? MD5 is older and officially vulnerable algorithm, you would be in fact degrading security by this action. Moreover, MD5 certificates don't work with latest .NET Framework updates so you could break your Orion installation by doing that.

Or did you mean replacing SHA1 with SHA2? That would make sense. In that case what joe.tran wrote applies.

"SolarWinds Agent Provision" certificate is used for SolarWinds Agent installations and there is no easy way how to replace it. It's not used during normal operation, it's always used for a short period of time just during Agent installation. If you really have to replace it I can put together steps how to do that but I would suggest to leave this one as it is.