Requirements and usage of third-party commercial certificates with ITMS
search cancel

Requirements and usage of third-party commercial certificates with ITMS

book

Article ID: 241066

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Trying to request your own certificates with a third-party certificate vendor instead of using the self-signed ones that are created during the initial installation of the Symantec Management Platform (SMP).

What does Altiris require with CA certificates?

Environment

ITMS 8.x

Resolution

The following information can be found in our online documentation:

Requirements and Usage of Third-party Commercial Certificates

Requirements for third-party certificates

Requirement

Description

Digital signature

The certificate has a valid digital signature.

Trust

The certificate is issued by Certificate Authority which is trusted by the Notification Server computer.

Note that for the site server the Certificate Authority must also be trusted by the client computers

Validity

The certificate is valid at least for 30 days from the import date.

Enhanced Key Usage

The Enhanced Key Usage value of the certificate is Server Authentication OID (1.3.6.1.5.5.7.3.1).

Subject name or subject alternate name

The requirements for subject name or subject alternate name are as follows:

  • NS Website certificate

Subject or subject alternate name matches the Notification Server computer Fully Qualified Domain Name.

  • CEM Website certificate

Subject or subject alternate name matches the Notification Server computer Fully Qualified Domain Name.

  • Wildcard SSL certificate

Subject or subject alternate name matches the Notification Server computer domain name. For example, if Notification Server's FQDN is ns.example.com, the certificate subject or alternate subject should contain *.example.com

  • Site server SSL certificate

Subject or subject alternate name matches the site server computer Fully Qualified Domain Name.

For Cloud-enabled Management (CEM), the certificate has to be issued for an FQDN that can be resolved internally and by the Internet gateway. Third-party vendors require that the top-level domain name in the FQDN is a public domain.

Hashing algorithm

The certificate uses one of the following hashing algorithms:

  • SHA1 (Symantec recommends not to use it)
  • SHA256
  • SHA384
  • SHA512

Asymmetric algorithm

The certificate uses the RSA asymmetric algorithm.

File format

.pfx

NOTE: While not specifically mentioned above, 2048 bit certificates are sufficient.

Before you use a third-party commercial SSL certificate within Symantec Management Platform infrastructure, make sure that the certificate fulfills the technical requirements. Each type of third-party commercial certificates has to comply with the general requirements for SSL certificates and the specific requirements, like the import procedure.

For detailed description and import procedure for a given certificate, see the following:

NOTE: A wildcard SSL certificate does not provide additional functionality for the Symantec Management Platform. It is used to provide HTTPS connection to a number of subdomains. Due to that fact, its requirements and import procedure are different.