How to Generate a certificate for Cloud-Enabled Management Implementations

Products

IT Management Suite

Issue/Introduction

The Symantec Management Platform (SMP) provides some tools for creating your own certificates in case you lost the ones generated during the initial implementation.

Environment

ITMS 8.x

Resolution

You can always create a self-signed certificate from IIS Manager:

Creating a self-signed SSL certificate

Self-signed certificate is not authenticated by a certification authority. Use this option for server testing purposes or for troubleshooting third-party SSL certificates.

To create a self-signed SSL certificate on the Notification Server computer

Log on to the Notification Server computer as an administrator.
On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.
From the Connections pane on the left, select the required connection type.
Under the IIS area, double-click Server Certificates.
From the Actions pane, click Create Self-Signed Certificate, and then specify the name for the certificate.
Click OK to save the changes.

A self-signed SSL certificate is created on the Notification Server computer.

The next step is to create an HTTPS binding by for a website by using the newly-created SSL certificate.

However, the following tools should be able to help you to generate the necessary certificates if you prefer to have more control on what to add to the certificate. These tools are available in the base directory where you installed the ITMS solutions, for example, in the C:\Program Files\Altiris\Notification Server\Bin\Tools folder.

The certificate name must match the name of the SMP and/or Site Server. Also, this certificate is signed by the special Notification Server certificate authority (CA) certificate for Cloud-enabled clients. If you do not have your own corporate certificate authority, these tools let you easily set up HTTPS on your SMP and/or Site Servers.

AeXGenClientCert.exe: A command-line tool that generates the client certificates that Cloud-enabled Management requires. The client certificate generator tool lets you create the client certificates that you need.
The Notification Server Agent certificate authority (CA) certificate issues these certificates.

Cloud-enabled management (CEM) assigns client certificates to clients and site servers so that they can identify themselves when connecting to the SMP. The client certificate generator tool issues a client certificate (temporary or permanent), signed by the SPC master certificate.

The public part of the certificate is stored in the database, and both public and private parts are added to a password-protected PKCS #12 (PFX) file for installation on the site server.

Temporary certificates (created in pair - one for gateway access, another for NS Server access) placed on client will force NS Agent to request permanent certificates from server. For temporary certificates, tool registers a virtual offline installation package in database, so certificates issuing can be controlled by administrator from SMP Console.

Permanent certificates placed on client will be used as is.

The AeXGenClientCert.exe tool accepts the following command-line parameters.

(permanent certificate): AeXGenClientCert <CommonName> -r \"resource_id\" [-d valid_for_days] [-o Certificate.pfx] [-p password] [-g]
(permanent certificate): AeXGenClientCert <CommonName> -r \"resource_id\" [-m valid_for_minutes] [-o Certificate.pfx] [-p password] [-g]
(temporary certificate): AeXGenClientCert <CommonName> -t [-d valid_for_days] [-o Certificate.pfx] [-p password] [-c number_of_clients] [-a] [-s description]
(temporary certificate): AeXGenClientCert <CommonName> -t [-m valid_for_minutes] [-o Certificate.pfx] [-p password] [-c number_of_clients] [-a] [-s package_description]

<CommonName> should be the fully-qualified domain name (FQDN) of the site server (eg. myhost.mydomain.com).

-r: client resource GUID for permanent certificate.

-d: number of days certificate is valid for (default 7 days).

-m: number of minutes certificate is valid for (is not set - default period in days is used).

-o: output certificate file name.

-p: password for created certificate protection (default: not set).

-g: gateway certificate creation (if not set - a certificate for NS server access will be created).

-t: temporary certificate creation.

-c: number of clients that can be registered with temporary certificate (default: unlimited).

-a: permanent certificate distribution will require manual confirmation of certificate requests.

-s: description of virtual offline installation package that is required for permanent certificate distribution.

example:
AeXGenClientCert.exe SMP-W2K12-01.eexample.local -r F4703992-2B8D-4BA9-9691-C1C0D484FD82 -d 3650 -o SMP-W2K12-01.pfx -p password123

The generated temporary certificate will be valid only for a short period of time as specified by the NS core setting 'IBCMSiteCertificateExpiryDays' (default: 7 days). This can be specified by passing the 'valid_for_days' parameter (must be greater than zero).

The generated permanent certificate will be valid for 20 years.

AeXGenSiteServerCert.exe: A command-line tool that generates the site server certificates. The server certificate generator tool lets you create the server certificates that you need. The Notification Server CA certificate issues these certificates.
Note: Applying a regenerated server certificate to an Internet gateway affects existing Symantec Management Agents. The existing agents cannot connect to the Internet gateway until they have received updated details of the gateway's certificate thumbprint.

Cloud-Enabled Management (CEM) assigns server certificates to Site Servers so that they can allow SSL connections. The Site Server certificate generator tool issues a client certificate, signed by the SPC master certificate.

The public part of the certificate is stored in the database, and both public and private parts are added to a password-protected PKCS #12 (PFX) file (containing the entire certificate chain) for installation on the site server.

The AeXGenSiteServerCert.exe tool accepts the following command-line parameters.

AeXGenSiteServerCert <SiteServerFDQN> [-o CertificateChain.pfx] [-p password]

<SiteServerFDQN> should be the fully-qualified domain name (FQDN) of the site server (eg. myhost.mydomain.com). The default password is "changeit".

example:
AeXGenSiteServerCert.exe SS-W2K12-01.example.local -o SS-W2K12-01.pfx -p password123

AeXRevokeCertificate.exe: The certificate revocation tool. This tool lets you revoke a certificate by updating the certificate revocation list (CRL).

Internet-based Cloud-Enabled Management (CEM) requires the ability to inform the internet gateway (proxy) that certain client certificates have been compromised, and are not to be trusted.

To this end, a Certificate Revocation List (CRL) is maintained on the SPC machine, and exported to a PEM-encoded file (which is then consumed by the Apache proxy server on the gateway).

The CRL is stored in the root machine store (but certificates are stored in the database).

To revoke a certificate, the tool loads the existing CRL (if it exists), adds the certificate serial number to it, and then generates a PEM-encoded file containing the CRL.

The AeXRevokeCertificate.exe executable is the Altiris certificate revocation tool. It is used revoke certificates so that the internet client gateway no longer trusts them.

The tool accepts the following command-line parameters.

AeXRevokeCertificate -o <CRLFile.PEM> <-t Sha1ThumbPrint | -s SerialNumber>

CRLFile.pem is the name of the PEM-encoded CRL file which will be installed on the gateway.
In the case where there is more than 1 certificate in the database with the same serial number, use a SHA-1 thumbprint to identify the certificate. Conversely, if 2 certificates have the same thumbprint, identify the certificate by serial number.

See our Admin Guide under Revoking a Cloud-enabled Management certificate