Step 2: Signing certificates

Your certificate signing request (CSR) must be signed by a certificate authority (CA) to be transformed into a certificate that can be uploaded to BigFix Inventory. You can use the openSSL cryptographic library to create a private CA and sign your request.

Before you begin

Using a private CA to sign your request is not the only way. You can also send the request to internationally trusted CAs, such as Entrust, VeriSign, and so on, or use the CA of your organization. The certificates of these CAs are often trusted by default and do not display any warnings in the browser. Warnings might be displayed if you use a private CA.

Procedure

  1. Create a private certificate authority (CA) and a certificate for it.
    1. Create a private CA. This step creates a private key (.key) and a request (.csr) similar to those that you created in Creating private keys and certificates.
      openssl req -new -newkey rsa:key_strength -nodes 
      -out CA_csr_name.csr -keyout CA_key_name.key -sha256
      For example, openssl req -new -newkey rsa:2048 -nodes -out CA_CSR.csr -keyout CA_private_key.key -sha256
      Where:
      key_strength
      Key strength, measured in bits. The maximum value that you can use for BigFix Inventory is 2048 bits.
      CA_csr_name
      File name for the certificate signing request (CSR). The certificate authority (CA) requires a separate request.
      CA_key_name
      File name for the private key. The certificate authority (CA) requires a separate private key.
    2. Create a certificate for your private CA. This step creates a certificate (.arm) that you can use to sign your CSR.
      openssl x509 -signkey path_to_CA_key.key -days 
      number_of_days -req -in path_to_CA_csr.csr 
      -out CA_certificate_name.arm -sha256
      For example, openssl x509 -signkey CA_private_key.key -days 90 -req -in CA_CSR.csr -out CA_certificate.arm -sha256
      Where:
      key_strength
      Key strength, measured in bits. The maximum value that you can use for BigFix Inventory is 2048 bits.
      path_to_CA_csr
      File name for the certificate signing request (CSR) that you created for the certificate authority (CA).
      path_to_CA_key
      File name for the private key that you created for the certificate authority (CA).
      number_of_days
      Number of days for the new certificate to be valid.
      CA_certificate_name
      File name for the certificate of your CA. This certificate is used to sign your CSR.
  2. Use the CA certificate to sign the certificate signing request that you created in Creating private keys and certificates.
    openssl x509 -req -days number_of_days -in path_to_csr.csr -CA path_to_CA_certificate.arm 
    -CAkey path_to_CA_key.key -out new_certificate.arm -set_serial 01 -sha256
    For example, openssl x509 -req -days 90 -in CSR.csr -CA CA_certificate.arm -CAkey CA_private_key.key -out certificate.arm -set_serial 01 -sha256
    Where:
    number_of_days
    Number of days for the new certificate to be valid.
    path_to_csr
    Path to certificate signing request (CSR) that you want to sign.
    path_to_CA_certificate
    Path to certificate that you created for the certificate authority (CA).
    path_to_CA_key
    Path to the private key that you created for the certificate authority (CA).
    new_certificate
    File name for the new certificate that is created from your certificate signing request (CSR). You upload this certificate together with your private key to BigFix Inventory.

Results

You signed your certificate signing request and obtained a new certificate.

What to do next

Enable encrypted communication in BigFix Inventory and upload your private key and the certificate. These files replace the self-signed certificate that is already available in BigFix Inventory, and thus ensure secure communication. For more information, see: Step 3: Enabling secure communication.