The SSL certificate is used to encrypt and decrypt the information that is transferred over the network, between Notification Server and the client computers. You can import a commercial certificate or you can create a self-signed certificate.
Types of SSL certificates in ITMS environment
In the ITMS environment, you can use self-signed SSL certificate, or import and use an existing commercial SSL certificate. A SSL certificate is issued by a certification authority, or certificate authority (CA). Following are a few types of certification authorities:
Commercial certificate authorities, who charge for their services.
Certificate authorities owned by institutions and governments for their own use.
Self-signed and community-driven certificate authorities, which are free of charge.
During HTTPS configuration, you are required to specify whether you want to use a self-signed certificate or a commercial certificate. Therefore, you must make a judicious decision about the type of SSL certificate that you use depending upon your requirements. To help you choose the suitable certificate, the following table compares and contrasts between commercial certificate, and SSL certificate.
Table: Differences between commercial SSL certificate and self-signed SSL certificate
Commercial SSL certificate
Self-signed SSL certificate
Provided by third-party certification authorities who charge a fee for their services.
Provided by creating locally self-signed certificates, and is community driven and obtained for free of charge.
Certificate is obtained by creating a private key on a secure computer, generating a certificate signing request, and then sending the certificate to the certification authority (CA). After receiving your certificate signing request, the CA verifies the identity, and then generates the public key and makes the key available to you.
Certificate is signed with its own private key.
Require both parties to trust the certification authorities.
If the parties know each other, trust each other to protect their private keys, and can confirm transfer public keys then self-signed certificates may decrease overall risk.
A compromised certificate can be revoked, which prevents its further use.
A compromised certificate cannot be revoked which may allow an attacker who has already gained access to monitor and inject data into a connection to hack an identity if a private key has been compromised.
SSL certificate requirements
You can use commercial SSL that is authenticated through a certification authority. To use a commercial certificate, it has to fulfill the following requirements:
Table: Symantec Management Platform requirements for SSL certificates
The certificate has a valid digital signature.
The certificate is issued by Certification Authority that is trusted by the Notification Server computer.
The certificate is valid at least for 30 days from the import date.
Enhanced Key Usage
The Enhanced Key Usage value of the certificate is Server Authentication OID (220.127.116.11.18.104.22.168.1).
Subject name or subject alternate name
Subject or subject alternate name matches the Notification Server computer Fully Qualified Domain Name.
The certificate uses one of the following hashing algorithms:
The certificate uses the RSA asymmetric algorithm.
Creating a self-signed SSL certificate
Self-signed certificate is not authenticated by a certification authority. Use this option for server testing purposes or for troubleshooting third-party SSL certificates.
To create a self-signed SSL certificate on the Notification Server computer
Log on to the Notification Server computer as an administrator.
On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.
From the Connections pane on the left, select the required connection type.
Under the IIS area, double-click Server Certificates.
From the Actions pane, click Create Self-Signed Certificate, and then specify the name for the certificate.
Click OK to save the changes.
A self-signed SSL certificate is created on the Notification Server computer.
The next step is to create an HTTPS binding by for a website by using the newly-created SSL certificate.
For server testing purposes or for troubleshooting third-party SSL certificates, you can create and use a self-signed certificate. A self-signed certificate is not authenticated through a certification authority. For a self-signed certificate, you need to specify the certificate name.
The site server certificate generator tool AeXGenSiteServerCert.exe lets you create a site server certificate. This tool is available in the base directory where you installed the ITMS solutions, for example, in the C:\Program Files\Altiris\Notification Server\Bin\Tools folder. The certificate name must match the name of the site server. Also, this certificate is signed by the special Notification Server certificate authority (CA) certificate for Cloud-enabled clients. If you do not have your own corporate certificate authority, this tool lets you easily set up HTTPS on your site servers.
For more information about setting up HTTPS communication in your ITMS environment, see the How to run ITMS on HTTPS feature card.