Skip to main content
Kofax

How to Upgrade from Equitrac 5 to Controlsuite Equitrac whilst retaining Certificate Pinning when using Ricoh Unified Client

3024287

Problem: 

There is an issue caused when upgrading from EQ 5.7 and CS1.0 to 1.1 in regards to DCE Certificate Pinning & Ricoh PCC5.

When PCC5 clients are installed the Device Control Engine (DCE) certificate's Public key is stored in the client to prevent 'Man in the Middle' attacks.  

If additional steps are not taken then once the CS installation is upgraded the PCC5 embedded clients are unable to communicate with DCE due to the fact that the certificate will have changed and re-installation will be required.

Solution: 

In Equitrac v5 the DCE certificate is stored in the Equitrac-Shared folder in the Certificate store of the user account running the DCE service. In Controlsuite, this is stored in the Personal Certificate store of the local computer account if service is running under Local System (or that of the Service account if running under a user account).  

Follow the steps here to succesfully migrate the certificates:

Log onto the DCE servers with the Equitrac Service Account & open up MMC.msc. Add the certificate snap-in selecting “My user account”

1.jpg

Navigate to the “Equitrac-Shared” – “Certificates” folder & right click on the certificate selecting “All Tasks” – “Export”.

Select to export the private key.

2.jpg

Check & set a password of your choice.

3.jpg

Place the exported PFX somewhere of you choice.

4.png

Now the above can either be done before the CS installation is upgraded OR following an upgrade when you realise the Ricoh devices are not connecting.

Once the CS upgrade is then completed, you need to open Configuration Assistant & navigate to the “Certificates” section. The certificate of concern is the core “Equitrac” one. Check it & select “Import Certificate”.

5.jpg

Now browse to your exported PFX file & provide the password you set when you exported. It will auto populate the Friendly name but you can change it if you prefer.

6.jpg

It is then best to perform a re-enrol & also restart the DCE service. Your Ricoh devices should then connect to DCE without the need for any major work on EVERY device.

Note; Equitrac 5 DCE has a 2 year expiry so you may have to re-configure to accept new certificates. (30 years for EQ6)

Applies to:  

Product Version
Controlsuite Equitrac  6.x