Handling the key exchange
When an agent tries to register and does not have a key and certificate, it automatically tries to perform a key exchange with its selected relay.
If the relay is a non-authenticating relay, it forwards the request up the relay chain to the server, which signs a certificate for the agent. This certificate can later be used by the agent when connecting to an authenticating relay.
Authenticating relays deny these automatic key exchange operations. The following is a typical scenario:
When you deploy a new BigFix environment or upgrade an existing BigFix environment to Version 11 all agents automatically perform the key exchange with their relays. If the administrator configures the internet facing relay as an authenticating relay, the existing agents already have the certificate and work correctly. No further action is required. When you connect new agents to the authenticating relay they do not work, until the manual key exchange procedure is run on them.