Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Update Certificate Pinning for uReset 7.12 And Earlier (Feb 2021)

On February 2, 2021 at 15:00 GMT Specops will need to renew/replace the certificate for www.ureset.com. Due to the way the uReset 7 Gatekeeper has implemented certificate pinning, customers will need to update pinning information in the registry in order for the Gatekeeper to reconnect successfully. Once the certificate is updated on our end, existing Gatekeeper connections will remain active until the next reconnect, either when the Gatekeeper server/service is restarted or on an automatic reconnect following an unexpected disconnect due to a network connectivity interruption.

Note: this change only affects customers running uReset 7.12 or earlier. uReset 8 and later customers are not affected by this change. No action is required for Specops Authentication/uReset versions 8.x.

If the certificate pinning information is not updated and the gatekeeper fails to reconnect, customers will see the following error in their Gatekeeper admin tool:

Failed to set up Gatekeeper to uReset Server connection at ‘https://www.ureset.com/uReset.Web.GateekeeprRouting.svc’ (port 443). SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority ‘www.ureset.com’.

Additionally, users may report the following error when attempting to reset their passwords via uReset:

We have a problem
There is no connection available to the Gatekeeper service in your organization’s network. Try again by refreshing or going back in the browser and try from there.

Verify the New Certificate is Live

Specops will update the certificate as close to 15:00 GMT on February 2, 2021 as possible. In order to verify the new certificate is live, navigate to https://www.ureset.com in a browser and confirm the certificate information matches as shown here. You may need to do a force refresh (CTRL+SHIFT+R or CTRL+F5 depending on your browser).

Warning: Do NOT update certificate chain information until you have confirmed you see the new certificate as shown in the above screen shot. The certificate will not be updated until Feb 2, 2021 at 15:00 GMT.

Update Certificate Chain Information

Specops offers two ways to update the certificate chain information in the registry — either by a registry file or a PowerShell script. Only one of these two options must be completed.

Regardless of the method chosen, please back up the HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\uReset\Gatekeeper\Settings registry key before making any changes.

Update Certificate Chain Information via Registry File

The following registry file can be imported. Save the contents of the text block as a .reg file and import/execute the merge on your Gatekeeper server.

Registry file can also be downloaded here (change file extension to .reg after download): https://download.specopssoft.com/uReset7CertificatePinning/NewCertificateChain_reg_safe.txt

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Specopssoft\uReset\Gatekeeper\Settings]
"uResetSSLCertificateChainInformation"=hex(7):43,00,4e,00,3d,00,77,00,77,00,77,\
  00,2e,00,75,00,72,00,65,00,73,00,65,00,74,00,2e,00,63,00,6f,00,6d,00,2c,00,\
  20,00,4f,00,3d,00,53,00,70,00,65,00,63,00,6f,00,70,00,73,00,20,00,53,00,6f,\
  00,66,00,74,00,77,00,61,00,72,00,65,00,20,00,55,00,53,00,41,00,20,00,49,00,\
  6e,00,63,00,2e,00,2c,00,20,00,4c,00,3d,00,50,00,68,00,69,00,6c,00,61,00,64,\
  00,65,00,6c,00,70,00,68,00,69,00,61,00,2c,00,20,00,53,00,3d,00,50,00,65,00,\
  6e,00,6e,00,73,00,79,00,6c,00,76,00,61,00,6e,00,69,00,61,00,2c,00,20,00,43,\
  00,3d,00,55,00,53,00,2c,00,20,00,53,00,45,00,52,00,49,00,41,00,4c,00,4e,00,\
  55,00,4d,00,42,00,45,00,52,00,3d,00,34,00,35,00,30,00,31,00,38,00,30,00,32,\
  00,2c,00,20,00,4f,00,49,00,44,00,2e,00,31,00,2e,00,33,00,2e,00,36,00,2e,00,\
  31,00,2e,00,34,00,2e,00,31,00,2e,00,33,00,31,00,31,00,2e,00,36,00,30,00,2e,\
  00,32,00,2e,00,31,00,2e,00,32,00,3d,00,44,00,65,00,6c,00,61,00,77,00,61,00,\
  72,00,65,00,2c,00,20,00,4f,00,49,00,44,00,2e,00,31,00,2e,00,33,00,2e,00,36,\
  00,2e,00,31,00,2e,00,34,00,2e,00,31,00,2e,00,33,00,31,00,31,00,2e,00,36,00,\
  30,00,2e,00,32,00,2e,00,31,00,2e,00,33,00,3d,00,55,00,53,00,2c,00,20,00,4f,\
  00,49,00,44,00,2e,00,32,00,2e,00,35,00,2e,00,34,00,2e,00,31,00,35,00,3d,00,\
  50,00,72,00,69,00,76,00,61,00,74,00,65,00,20,00,4f,00,72,00,67,00,61,00,6e,\
  00,69,00,7a,00,61,00,74,00,69,00,6f,00,6e,00,00,00,43,00,4e,00,3d,00,44,00,\
  69,00,67,00,69,00,43,00,65,00,72,00,74,00,20,00,53,00,48,00,41,00,32,00,20,\
  00,45,00,78,00,74,00,65,00,6e,00,64,00,65,00,64,00,20,00,56,00,61,00,6c,00,\
  69,00,64,00,61,00,74,00,69,00,6f,00,6e,00,20,00,53,00,65,00,72,00,76,00,65,\
  00,72,00,20,00,43,00,41,00,2c,00,20,00,4f,00,55,00,3d,00,77,00,77,00,77,00,\
  2e,00,64,00,69,00,67,00,69,00,63,00,65,00,72,00,74,00,2e,00,63,00,6f,00,6d,\
  00,2c,00,20,00,4f,00,3d,00,44,00,69,00,67,00,69,00,43,00,65,00,72,00,74,00,\
  20,00,49,00,6e,00,63,00,2c,00,20,00,43,00,3d,00,55,00,53,00,00,00,43,00,4e,\
  00,3d,00,44,00,69,00,67,00,69,00,43,00,65,00,72,00,74,00,20,00,48,00,69,00,\
  67,00,68,00,20,00,41,00,73,00,73,00,75,00,72,00,61,00,6e,00,63,00,65,00,20,\
  00,45,00,56,00,20,00,52,00,6f,00,6f,00,74,00,20,00,43,00,41,00,2c,00,20,00,\
  4f,00,55,00,3d,00,77,00,77,00,77,00,2e,00,64,00,69,00,67,00,69,00,63,00,65,\
  00,72,00,74,00,2e,00,63,00,6f,00,6d,00,2c,00,20,00,4f,00,3d,00,44,00,69,00,\
  67,00,69,00,43,00,65,00,72,00,74,00,20,00,49,00,6e,00,63,00,2c,00,20,00,43,\
  00,3d,00,55,00,53,00,00,00,00,00

Update Certificate Chain Information via PowerShell

Execute the following PowerShell script as administrator. PowerShell 5.1 or later is required.

PowerShell script can also be downloaded here: https://download.specopssoft.com/uReset7CertificatePinning/Update-uReset7CertificatePinning.ps1

#requires -RunAsAdministrator

$ErrorActionPreference = 'Stop'

#
# Update certificate pinning chain
#
$lines = (
    'CN=www.ureset.com, O=Specops Software USA Inc., L=Philadelphia, S=Pennsylvania, C=US, SERIALNUMBER=4501802, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization',
    'CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US',
    'CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US'
    )

#
# Checksum validation to prevent the certificate chain path has been been altered by mistake
#
function MakeChecksum($lines)
{
    $str = [string]::Join('', $lines)
    $strAsBytes = [System.Text.Encoding]::UTF8.GetBytes($str)
    $strAsStream = [IO.MemoryStream]::new($strAsBytes)
    $hash = Get-FileHash -InputStream $strAsStream -Algorithm Sha256
    $hash.Hash
}

#
# Validate checksum before writing the new certificate pinning chain to registry
#
$actualChecksum = MakeChecksum $lines
$expectedChecksum = '7979C21956B7E0F6752E232EB40799C81F3E56A36B9F730DF928D8350354A1AA'
if ($expectedChecksum -ne $actualChecksum) {
    $err = 'Checksum validation failed, the registry settings seem to have been unexpectedly modified.'
    Write-Verbose -Verbose $err
    throw $err
}

$regPath = 'HKLM:\SOFTWARE\Specopssoft\uReset\Gatekeeper\Settings'
$regValueName = 'uResetSSLCertificateChainInformation'

#
# Do the actual write
#
Set-ItemProperty -Path $regPath -Name $regValueName -Value $lines -Type MultiString -ErrorAction Stop -Verbose -Force

Verify the Change

Verify the value of HKLM/SOFTARE/Specops/uReset/Gatekeeper/Settings/uResetSSLCertificateChainInformation now matches the following:

CN=www.ureset.com, O=Specops Software USA Inc., L=Philadelphia, S=Pennsylvania, C=US, SERIALNUMBER=4501802, OID.1.3.6.1.4.1.311.60.2.1.2=Delaware, OID.1.3.6.1.4.1.311.60.2.1.3=US, OID.2.5.4.15=Private Organization
CN=DigiCert SHA2 Extended Validation Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US
CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

Finally, restart the Gatekeeper service, reload/refresh the uReset Gatekeeper Admin tool and verify the status is now ‘Connected to uReset.’

Customers with Multiple Gatekeepers

Please note that uReset 7 does not support running multiple Gatekeeper servers. If you have multiple Gateekeeper servers please stop/disable the Specops uReset Gatekeeper Server service and/or uninstall the Gatekeeper on all but one of your servers.

Specops uReset 8 runs on the new Specops Authentication platform where multiple redundant gatekeepers are fully supported. Please review the migration guide and reach out to Specops support for more information on seamlessly migrating your users and enrollments to the new version: Migrating to Specops uReset 8.0

January 29, 2021

Was this article helpful?

Related Articles