Trusted certificates

DriveLock uses trusted certificates for secure communication between the DriveLock Management Console or DriveLock Agents and the DES. You can specify these certificates in the Global Settings of a policy.

The ChangeDesCert.exe tool is located in the DriveLock Enterprise Services (DES) program directory under C:\Program Files\CenterTools\DriveLock Enterprise Service\ChangeDesCert.exe.
Note that if you want to exchange an existing DES server certificate using ChangeDesCert.exe, you must import the new certificate into the computer’s Certificate Store and configure the private key as exportable.

Important information:

• Make sure your certificates are always up to date. If you need to replace the DES certificate or have additional linked DES installed, please enter the new certificates in the list in a timely manner and ensure that DriveLock agents are assigned this policy before communicating with the DES (or new linked DES).

• As long as a DriveLock Agent has not yet managed to find the DES certificate in the list of trusted certificates, it will accept connections to any DES. Once the certificate is successfully verified, from that moment on the agent communicates only with the DES whose hash values are entered in the list of trusted certificates.

• If you remove all certificates from this list, the agents will communicate with all DES again.

If a DriveLock Agent receives an invalid certificate, an error message will be displayed on the agent and there will be no more communication between DES and the Agent! In this case, the only solution is making manual changes in the Agent's local registry. Please contact DriveLock Support for more information.