With Equitrac PCC5.1, the Unified client uses certificate pinning to prevent 'Man in the Middle' attacks. When the product is installed using Device Registration Service (DRS), the Device Control Engine (DCE) certificate's public key is stored with the embedded client. This means that the DCE is pinned and cannot be changed without a 'Configure and Reboot' Option. In addition to this DRS pinning also stores a password that means that a 'Configure and Reboot' can only be performed by the DRS service that originally was used to install the client. Any other DRS server would need to do a 'Full install'
The DCE service creates a certificate that has a two year expiry date, which means that when the certificate expires, the client needs to be re-configured to allow it to continue to work. When the certificate expires, the Embedded client will no longer allow the user to login.
To reconfigure the DCE, it will require two configure and reboot events. This is to clear the certificate pinning from the device and enforces pinning to the new certificate.
Follow the steps below:
- First stop the DCE service.
- Open the console mmc.exe and add the Certificate Snap-in for Local Computer.
- Open the Equitrac-Shared folder and delete the old certificate.
- Restart the DCE service and a new certificate will then be created.
- Open the Device Registration Service Web Page.
- In the Applications tab, create a new Application for Ricoh SOP that has a 'dummy' Equitrac Server (127.0.0.1 or 'Maintenance' could be used).
- Reconfigure the Device (or group of devices) to point to the new Application.
- Run a configure and reboot.
- This will clear the existing certificate pinning from the client.
- Reconfigure the device back to the original application.
- Perform another 'Configure and Reboot' to complete the new registration.
- The MFD when complete will have the new certificate stored.
Note that in Control Suite (Equitrac 6 and above) the certificate has a 30 year expiry by default.
|Ricoh Unified Client||1.1|