Thursday, 28 November 2019

Replace the MS Advanced Threat Analytics (ATA) Center Certificate

Replace the MS Advanced Threat Analytics (ATA) Center Certificate


This guide is based on the Microsoft Document but goes into a little more detail and should be clearer, you should review the Microsoft guide as well as this one.


I am purposely not using auto enrolment. This may generate a new thumbprint if the certificate auto renews, causing all the gateways to stop talking to the ATA Center server. This process must be done manually before the certificate expires each time!

This guide assumes you have a PKI infrastructure in your domain. The certificate you generate must be trusted by the gateway for this to work otherwise the gateways will disconnect from the ATA Center.

In this guide, I will:

  • Add a second server certificate
  • Update all the gateways so they recognise the new certificate
  • Switch to the new certificate
  • Update all the gateways again so they only use the new certificate.

Replacing the certificate

  • Check the existing certificate in the management panel. Currently all the gateways only have this certificate pinned in their configuration and will only talk to the Center if it’s using this certificate.

not secure

Center Configuration

Generating the New Certificate

  • Log into the ATA Center Server and open “Manage Computer Certificates”
  • Open Personal > Certificates
  • Right click in the right pane
  • Select All Tasks > Advanced Options > Create Custom Request.

Create Custom Certificate

  • Follow the enrolment wizard and select web server certificate template

Certificate Enroll

Web Server Template

  • On the Certificate Information screen, expand details and click properties

Web Certificate Information

  • Fill out the form, include all the relevant details including alternative names

Filling in Certificate Information

  • Save the CSR somewhere handy

Save As

  • Copy the CSR to your issuing CA

  • Run the following certreq command to generate the certificate

    certreq -submit -config “VPKI1\Dorset Council Issuing CA-1” server1.csr server1.cer

  • Copy the resulting files back to the ATA Center server

Copy files in PowerShell

Importing the Certificate

  • Open the certificate, note the thumbprint, then install the certificate into the local computer, Personal store

Freshly Minted Certificate

Freshly Minted Certificate Thumbprint

Import Wizard Local Machine

Import Wizard Personal Store

Replacing the Certificate in ATA Center

  • Log into ATA Center web console
  • Configuration > Center
  • Select the new certificate, check the thumbprint matches the newly installed cert


ATA Center Select Certificate

  • Click Save and wait for all gateways to sync the config – do not click activate

Gateways Syncing

Gateways Synced

  • Once you see the Green message that all gateways have synced the config click Activate and wait for all gateways to sync the config again.

Activate the Certificate

Gateways Syncing

Gateways Synced

  • You can now restart the ATA Center service in Windows

Restart ATA Center Service

When you reload the page in a fresh browser, the certificate should now be the new trusted cert.


  1. Hi, Great guide, thanks. I've got all the way through and all looks ok, but its saying (not supported) in brackets next to the cert in the ATA console. Do you know what would cause this? thankyou!

  2. Check the key length of your certificate, it must be 2048 bits

  3. Spot on, thanks. Our old Webserver template was still 1024 bits.


Please be nice! :)