As someone that has used Microsoft Advanced Threat Analytics (ATA) for a few years, one of the frustrations has been renewing the certificate used by ATA. If you have an internal PKI setup, you usually allow it to automatically renew your certificates before they expire, which is great. The issue here is that Microsoft Advanced Threat Analytics ATA doesn’t support automatic renewal of its certificate. Instead, you need to create a new certificate. If you try to renew the certificate through the Certificates MMC snap-in, you’ll run into all of the same issues as an automatic renewal. You could see errors in your log similar to this:
2020-01-09 12:34:27.9920 1140 98 Error [CertificateExtension] Microsoft.Tri.Infrastructure.Utils.ExtendedException: There are no matching certificates [StoreLocation=LocalMachine StoreName=My thumbprint=89E1C9790B175D2E6B716CFDDABA3D9F444829F6]
If your certificate expires or automatically renews, the only resolution is to redeploy your ATA, and you will lose all your configuration, alerts, and behavior analysis history. In 2020, Microsoft changed the certificate expiration notice from three weeks to three months. If you have email notifications setup, you should receive an email alert and also see notices within the ATA console.
ATA Certificate Requirements
According to Microsoft’s documentation, the certificate must have:
- A private key
- A provider type of either Cryptographic Service Provider (CSP) or Key Storage Provider (KSP)
- A public key length of 2048 bits
- A value set for KeyEncipherment and ServerAuthentication usage flags
- KeySpec (KeyNumber) value of “KeyExchange” (AT_KEYEXCHANGE). The value “Signature” (AT_SIGNATURE) is not supported.
- All Gateway machines must be able to fully validate and trust the selected Center certificate.
They state that you can use the standard Web Server or Computer templates.
Renew ATA Certificate
From my experience, if you’re using the certificate for the web interface, you’ll want your server name as the Subject CN and use the web address as the Subject Alternative Name (SAN) DNS to make the browser happy.
If you’re using an internal PKI:
- Open the Certificates MMC Snap-in and go to the Personal Certificates Store
- Go to Action > All Tasks > Request New Certificate
- Depending on the method of enrollment, go through the steps to request a new Web Server or Computer template certificate using the SAN and CN as mentioned above
- Go to your CA and approve the certificate
- Import or automatically retrieve your certificate on the ATA server
Once the certificate is imported, verify that it is linked to the private key, then proceed to the ATA Console:
- Go to Settings > Configuration > Center
- In the Certificate dropdown, find the new certificate and select it and click Save
- Go to the Gateways tab and wait for all of your gateways to sync the change
- Go back to the Center tab and click Activate
- Go back to the Gateways tab again and verify they all sync
- For good measure, restart the ATA Windows Server and verify everything starts as expected