Requirements and usage of third-party commercial certificates with ITMS

Products

IT Management Suite

Issue/Introduction

Trying to request your own certificates with a third-party certificate vendor instead of using the self-signed ones that are created during the initial installation of the Symantec Management Platform (SMP).

What does Altiris require with CA certificates?

Environment

ITMS 8.x

Resolution

The following information can be found in our online documentation:

Requirements and Usage of Third-party Commercial Certificates

Requirements for third-party certificates
Requirement	Description
Digital signature	The certificate has a valid digital signature.
Trust	The certificate is issued by Certificate Authority which is trusted by the Notification Server computer. Note that for the site server the Certificate Authority must also be trusted by the client computers
Validity	The certificate is valid at least for 30 days from the import date.
Enhanced Key Usage	The Enhanced Key Usage value of the certificate is Server Authentication OID (1.3.6.1.5.5.7.3.1).
Subject name or subject alternate name	The requirements for subject name or subject alternate name are as follows: NS Website certificate Subject or subject alternate name matches the Notification Server computer Fully Qualified Domain Name. CEM Website certificate Subject or subject alternate name matches the Notification Server computer Fully Qualified Domain Name. Wildcard SSL certificate Subject or subject alternate name matches the Notification Server computer domain name. For example, if Notification Server's FQDN is ns.example.com, the certificate subject or alternate subject should contain *.example.com Site server SSL certificate Subject or subject alternate name matches the site server computer Fully Qualified Domain Name. For Cloud-enabled Management (CEM), the certificate has to be issued for an FQDN that can be resolved internally and by the Internet gateway. Third-party vendors require that the top-level domain name in the FQDN is a public domain.
Hashing algorithm	The certificate uses one of the following hashing algorithms: SHA1 (Symantec recommends not to use it) SHA256 SHA384 SHA512
Asymmetric algorithm	The certificate uses the RSA asymmetric algorithm.
File format	.pfx

NOTE: While not specifically mentioned above, 2048 bit certificates are sufficient.

Before you use a third-party commercial SSL certificate within Symantec Management Platform infrastructure, make sure that the certificate fulfills the technical requirements. Each type of third-party commercial certificates has to comply with the general requirements for SSL certificates and the specific requirements, like the import procedure.

For detailed description and import procedure for a given certificate, see the following:

NS Website certificate - Importing the NS Website certificate in the Symantec Installation Manager

CEM Website certificate - Importing the CEM Website certificate in the Symantec Management Console

Internet gateway certificate - Importing a third-party certificate on Internet gateway

Wildcard SSL certificate -Importing the wildcard SSL certificate

NOTE: A wildcard SSL certificate does not provide additional functionality for the Symantec Management Platform. It is used to provide HTTPS connection to a number of subdomains. Due to that fact, its requirements and import procedure are different.