Searching...
Filters
SmallMediumLarge
Home Print Show Topic URL Previous Next
IT Management Suite
Client Management Suite
Server Management Suite
Deployment Solution
Asset Management Suite
ServiceDesk

Creating or importing an SSL certificate

ITMS Installation and Upgrade

The SSL certificate is used to encrypt and decrypt the information that is transferred over the network, between Notification Server and the client computers. You can import a commercial certificate or you can create a self-signed certificate.

Types of SSL certificates in ITMS environment

In the ITMS environment, you can use self-signed SSL certificate, or import and use an existing commercial SSL certificate. A SSL certificate is issued by a certification authority, or certificate authority (CA). Following are a few types of certification authorities:

  • Commercial certificate authorities, who charge for their services.

  • Certificate authorities owned by institutions and governments for their own use.

  • Self-signed and community-driven certificate authorities, which are free of charge.

During HTTPS configuration, you are required to specify whether you want to use a self-signed certificate or a commercial certificate. Therefore, you must make a judicious decision about the type of SSL certificate that you use depending upon your requirements. To help you choose the suitable certificate, the following table compares and contrasts between commercial certificate, and SSL certificate.

Table: Differences between commercial SSL certificate and self-signed SSL certificate

Commercial SSL certificate

Self-signed SSL certificate

Provided by third-party certification authorities who charge a fee for their services.

Provided by creating locally self-signed certificates, and is community driven and obtained for free of charge.

Certificate is obtained by creating a private key on a secure computer, generating a certificate signing request, and then sending the certificate to the certification authority (CA). After receiving your certificate signing request, the CA verifies the identity, and then generates the public key and makes the key available to you.

Certificate is signed with its own private key.

Require both parties to trust the certification authorities.

If the parties know each other, trust each other to protect their private keys, and can confirm transfer public keys then self-signed certificates may decrease overall risk.

A compromised certificate can be revoked, which prevents its further use.

A compromised certificate cannot be revoked which may allow an attacker who has already gained access to monitor and inject data into a connection to hack an identity if a private key has been compromised.

SSL certificate requirements

You can use commercial SSL that is authenticated through a certification authority. To use a commercial certificate, it has to fulfill the following requirements:

Table: Symantec Management Platform requirements for SSL certificates

Digital signature

The certificate has a valid digital signature.

Trust

The certificate is issued by Certification Authority that is trusted by the Notification Server computer.

Validity

The certificate is valid at least for 30 days from the import date.

Enhanced Key Usage

The Enhanced Key Usage value of the certificate is Server Authentication OID (1.3.6.1.5.5.7.3.1).

Subject name or subject alternate name

Subject or subject alternate name matches the Notification Server computer Fully Qualified Domain Name.

Hashing algorithm

The certificate uses one of the following hashing algorithms:

  • SHA1

  • SHA256

  • SHA384

  • SHA512

Asymmetric algorithm

The certificate uses the RSA asymmetric algorithm.

File format

.pfx

Creating a self-signed SSL certificate

Self-signed certificate is not authenticated by a certification authority. Use this option for server testing purposes or for troubleshooting third-party SSL certificates.

To create a self-signed SSL certificate on the Notification Server computer

  1. Log on to the Notification Server computer as an administrator.

  2. On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.

  3. From the Connections pane on the left, select the required connection type.

  4. Under the IIS area, double-click Server Certificates.

  5. From the Actions pane, click Create Self-Signed Certificate, and then specify the name for the certificate.

  6. Click OK to save the changes.

    A self-signed SSL certificate is created on the Notification Server computer.

The next step is to create an HTTPS binding by for a website by using the newly-created SSL certificate.

See Creating an HTTPS binding

For a detailed end-to-end process on setting up HTTPS communication in your ITMS environment, See Configuring Notification Server to use HTTPS after ITMS installation is completed

Importing a commercial certificate

Use this option when you have SSL certificate that is authenticated by a third-party certification authority (CA).

To import a commercial SSL certificate on the Notification Server computer

  1. Log on to the Notification Server computer as an administrator.

  2. On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.

  3. From the Connections pane on the left, select the required connection type.

  4. Under the IIS area, double-click Server Certificates.

  5. On the Actions pane, click Import, and then, in the Import Certificate window, enter the path to the certificate file and the certificate password.

  6. Click OK.

    The next step is to create an HTTPS binding by for a website by using the newly-created SSL certificate.

    See Creating an HTTPS binding

    For a detailed end-to-end process on setting up HTTPS communication in your ITMS environment, See Configuring Notification Server to use HTTPS after ITMS installation is completed

For server testing purposes or for troubleshooting third-party SSL certificates, you can create and use a self-signed certificate. A self-signed certificate is not authenticated through a certification authority. For a self-signed certificate, you need to specify the certificate name.

The site server certificate generator tool AeXGenSiteServerCert.exe lets you create a site server certificate. This tool is available in the base directory where you installed the ITMS solutions, for example, in the C:\Program Files\Altiris\Notification Server\Bin\Tools folder. The certificate name must match the name of the site server. Also, this certificate is signed by the special Notification Server certificate authority (CA) certificate for Cloud-enabled clients. If you do not have your own corporate certificate authority, this tool lets you easily set up HTTPS on your site servers.

For more information about setting up HTTPS communication in your ITMS environment, see the How to run ITMS on HTTPS feature card.