Step 1: Creating private keys and certificates

To improve security, create your own private key and a certificate instead of using the self-signed ones that are available in BigFix Inventory by default. You can use openSSL to create a private key and a certificate signing request (CSR) that can be transformed into a certificate after it is signed by a certificate authority (CA).

Before you begin

Remember: Use the latest OpenSSL version to create private keys and certificates.

This procedure is valid for all operating systems that support openSSL.

If you are generating an encrypted private key in the pkcs8 format, add the following line to the installation_dir/jre/lib/security/java.security file:
security.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
Then, restart the BigFix Inventory server.

Procedure

  1. Open the command line.
  2. Create a new private key. 
    openssl genrsa -des3 -out inventory.key -aes256 2048
    For example, openssl genrsa -des3 -out inventory.key -aes256 2048
    Where:
    -des3
    Enables password for the private key. This is an optional parameter. You can also enable password for an existing private key by using the following command:
    openssl rsa -des3 -in path_to_private_key.key -out key_name.key
    key_name
    File name for your new private key.
    key_strength
    Key strength, measured in bits. The maximum value that you can use for BigFix Inventory is 2048 bits.
  3. Create a certificate signing request (CSR). The request is associated with your private key, and is later transformed into a certificate. 
    openssl req -new -key path_to_private_key.key -out csr_name.csr
    For example, openssl req -new -key private_key.key -out CSR.csr
    Where:
    • path_to_private_key - Path to your private key.
    • csr_name - File name for your certificate signing request (CSR).
    After you run the command, you are asked to provide information that helps your users to identify your certificate and ensure that it can be trusted. The following excerpt from the command line is filled in with sample information. You must replace the data with actual information.
    Country Name (2 letter code) [XX]: US
State or Province Name (full name) []: New York
Locality Name (eg, city) [Default City]: New York
Organization Name (eg, company) [Default Company Ltd]: HCL (eg, section) []: Software
Common Name (eg, your name or your server's hostname) []: inventory.bigfix.com
Email Address []: inventory@bigfix.com
    Note: You must also add subject alternative name (SAN) in the certificate signing request (CSR). A subject alternative name (SAN) is a method to indicate the domain names and IP addresses that are secured by the certificate. SAN in CSR is provided depending on the openSSL version.

    SAN is a mandatory field in many web browsers, specially in Chrome since Chrome 58 deprecation (https://developer.chrome.com/blog/chrome-58-deprecations/) and in Firefox version 101 and above.

Results

After completing these steps, two files are created, your private key (.key) and the certificate signing request (.csr).

What to do next

Sign the request to transform it into the certificate. For information about how to create a private certificate authority (CA) to sign the request, see Signing certificates.