We had some older windows instances which stopped being able to communicate with the Qualys Cloud Agent platform around Aug 15. As far as I know, there were no changes on this group of assets during this time. The agent Log.txt reports the communication does not work, because the Certificate Issuer in the trust chain of our "Cloud Agents Public URL" is unknown. The exact error string is as below:
"The function is unfamiliar with the Certificate Authority that generated the server's certificate"
The following Cloud Agent query highlights this issue:
tags.name:'Cloud Agent' and lastVmScanDate:[2018-01-01 ... 2018-08-16]
We see the following Qualys documentation from last year, when an updated VeriSign Root CA certificate was required.
We see the Period of Validity of the current Cloud Agent Public URL started on Aug 14, 2018; meaning it was recently updated, and around the same time that this subset of our windows agents stopped reporting. We see the following trust chain:
“DigiCert global Root CA”
+-“DigiCert SHA2 Secure Server”
On our older windows, which do not already contain the "DigiCert global Root CA", we find that installing that cert alone is enough, even without a service restart or reboot, the agent is able to communicate with the cloud agent platform/website.
Does anyone know if there was some type of overlap/grace period between VeriSign and DigiCert certificate chains which was recently ended? Most of our windows hosts already had the DigiCert CA, so I'm trying to understand if something changed on our side, or the Qualys side.