SafeConsole SSL Certificate Upgrade Process for On-Premises Version(s) 5.2+


-Before You Begin-


You will need to make sure that all of the drives that are communicating with the SafeConsole server are updated to firmware version 4.8 or higher. 


You can find the latest device firmware updates here: 

datalocker.com/device-updates


-Prerequisite- 


This guide is designed to help with the process of upgrading the SSL Certificates for your SafeConsole Server. This process is only valid for SafeConsole server versions 5.2 and higher. 


Before proceeding, please make sure you have a complete backup of your entire SafeConsole Install folder. 

Please note; on SafeConsole 5.8 or newer, the default installation path is C:\Program Files\SafeConsole

For 5.7 and lower, this is usually located under program files (x86) on the C: Drive by default.


If you have any uncertainty or questions, please do not hesitate to reach out to DataLocker Support ([email protected]) before moving forward. If this process is not done correctly it could majorly affect your production environment.


-Important Certificate Requirements -


1. The Certificate should be in p12/pfx format and password protected. 
This required format is a binary format for storing the server certificate, any intermediate certificates, and the private key into a single encryptable file. PFX files are usually found with the extensions .pfx and .p12.

 

2. The Private Key needs to be included for the certificate.


The PFX files are typically used in a Windows environment to import and export certificates and private keys.


3. The Common Name needs to match the URL of the SafeConsole Server AND the common name of the previous certificate. 


The Common Name is typically composed of Host + Domain Name and will look like "hostname.yoursite.loc". SSL Server Certificates are specific to the Common Name that they have been issued to at the Host level.


4. Subject Alternative Name Extension should be configured for the server to suppress. 


The Subject Alternative Name field lets you specify additional hostnames (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain Certificate.



-Installing the Certificate on the On-Premises SafeConsole Server-


1. Backup the SafeConsole Install folder as mentioned in the Prerequisite.


Locate the Install location of the SafeConsole Folder (Default Path Shown Below)


Default Path: C:\Program Files (x86)\safeconsole or Program Files\safeconsole (5.8 or newer) 



2. Once you have confirmed the install folder is backed up, run the SafeConsole Configurator. 


Default Path: C:\Program Files (x86)\safeconsole or Program Files\safeconsole (5.8 or newer)




3. Import the new certificate by using the SafeConsole Configurator.


After you launch the SafeConsole Configurator, navigate to step 5 of 5. Here you will be allowed to import your new certificate that follows the guidelines addressed earlier in the guide. 


Click On Import SSL certificate and then click Yes to overwrite the old certificate. 




4. Finish Installing the Certificate and restart the SafeConsole Server. 


You will get a warning that you are about to install the new certificate. The system may prompt you to verify the Thumbprint of your certificate before moving forward. Once you have verified the thumbprint click Yes to continue.  



The SafeConsole service will now start back up



-Verify Process-


To verify the installation of the new certificate, you will need to attempt a password reset on a device. You will need to force the password reset from the safe console. We recommend you do this process twice to confirm that the certificate behavior is correct.


These are the steps to perform a password reset


1. Open the device software. Get the eight-character Client Request Code (Password ID). Found under Help > Forgot password in the main screen of the device software or displayed when the wrong password is entered more than two times in sequence.


2. In SafeConsole search to find the device under Devices or Users. The Device ID or serial number is under About in the device software. Verify at least the last four numbers.


3. Select the Reset password Action in SafeConsole for the device.


4. Enter the Client Request Code (Password ID) in the SafeConsole prompt.


5. The 24 character long Server Response Code will be displayed, and you can click to email it to the registered device user email address. You can also read the string to the device user. Make sure to get the string right as a faulty code can destroy all stored data. We suggest employing a phonetic alphabet.


6. The device user enters the Response Code in the device software and will now be prompted to enter a new device password.