Traps ESM SSL Certificate Renewal

Hello Community,

If you are enabling SSL communication between the agents and Palo Alto Network's Traps ESM, then once the certificate expires you will need to renew it, refer to the bellow steps to guide you through.

How to renew the SSL Certificate in Traps ESM

• Import or generate the new certificate to the ESM Server.
• Open the Internet Information Services (IIS) Manager.
• Choose the Server and from the home page choose “Server Certificates”.
• Import the new certificate.
• Open an elevated CMD, and according to the port you set the ESM to use run the following command: netsh http show sslcert ipport=0.0.0.0:2125
• Check the Hash of the certificate, it should be the expired certificat’s.
• Then back to IIS Manager from the left column open “Application Pool”, then “Sites”, then “Default Web Site”.
• In the action column choose “Bindings”.
• According to your configuration if you are using the default settings which is port 2125, then check if the port is listed and click on “edit”, if not then click “add” as it will be overwritten because as the CMD command showed, the certificate is used on this port.
• Fill as bellow:
  • Type: “https”
  • ip address: “All Unassigned”
  • Port: “2125”
  • SSL certificate: “Choose the new certificate”.
• Then click ok.
• 
• From the CMD run the command “netsh http show sslcert ipport=0.0.0.0:2125” again and confirm that the new certificate’s hash is now showing.
• Check-in the agents and confirm the connectivity.

It would be nice if PAN can confirm it too, and maybe make it a KB.

Regards