Requirements and usage of third-party commercial certificates with ITMS
search cancel

Requirements and usage of third-party commercial certificates with ITMS

book

Article ID: 241066

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

The customer is trying to request his own certificates with a third-party certificates vendor instead of using the self-signed ones that are created during the initial installation of the Symantec Management Platform (SMP).

Do you know if there is anything that Altiris requires with CA certificates?

Environment

ITMS 8.5, 8.6

Resolution

The following information can be found in our online documentation:

Requirements and Usage of Third-party Commercial Certificates

 

Requirements for third-party certificates

Requirement

Description

Digital signature

The certificate has a valid digital signature.

Trust

The certificate is issued by Certificate Authority which is trusted by the Notification Server computer.

Note that for the site server the Certificate Authority must also be trusted by the client computers

Validity

The certificate is valid at least for 30 days from the import date.

Enhanced Key Usage

The Enhanced Key Usage value of the certificate is Server Authentication OID (1.3.6.1.5.5.7.3.1).

Subject name or subject alternate name

The requirements for subject name or subject alternate name are as follows:

  • NS Website certificate

Subject or subject alternate name matches the Notification Server computer Fully Qualified Domain Name.

  • CEM Website certificate

Subject or subject alternate name matches the Notification Server computer Fully Qualified Domain Name.

  • Wildcard SSL certificate

Subject or subject alternate name matches the Notification Server computer domain name. For example, if Notification Server's FQDN is ns.example.com, the certificate subject or alternate subject should contain *.example.com

  • Site server SSL certificate

Subject or subject alternate name matches the site server computer Fully Qualified Domain Name.

For Cloud-enabled Management (CEM), the certificate has to be issued for an FQDN that can be resolved internally and by the Internet gateway. Third-party vendors require that the top-level domain name in the FQDN is a public domain.

Hashing algorithm

The certificate uses one of the following hashing algorithms:

  • SHA1 (Symantec recommends not to use it)
  • SHA256
  • SHA384
  • SHA512

Asymmetric algorithm

The certificate uses the RSA asymmetric algorithm.

File format

.pfx

 

NOTE: While not specifically mentioned above, 2048 bit certificate is sufficient.

 

Before you use a third-party commercial SSL certificate within Symantec Management Platform infrastructure, make sure that the certificate fulfills the technical requirements. Each type of the third-party commercial certificate has to comply with the general requirements for SSL certificates and the specific requirements, like the import procedure.

For detailed description and import procedure for a given certificate, see the following:

  • NS Website certificate

Importing the NS Website certificate in the Symantec Installation Manager

  • CEM Website certificate

Importing the CEM Website certificate in the Symantec Management Console

  • Internet gateway certificate

Importing a third-party certificate on Internet gateway

  • Wildcard SSL certificate

A wildcard SSL certificate does not provide additional functionality for the Symantec Management Platform. It is used to provide HTTPS connection to a number of subdomains. Due to that fact, its requirements, and import procedure are different.

Importing the wildcard SSL certificate