MDM SSL certificates

MDM Client Auth certificate
SSL Certificates are required to authenticate the Plugin to the MDM Server. For secure communication, you must generate the certificates through new options when you run BESAdmin command on the BigFix root server. Before you run the command to generate the SSL certificates, create a directory. All the generated SSL certificates after you run the command are stored in the directory that you create.
  • You must have a reachable DNS host name to run the commands in the BES Admin tool to generate certificates.
To generate SSL certificates on a Windows BigFix root server, run this command:
BESAdmin.exe /generateplugincertificates /certificatespath:<path-to-store-certs> [/commonname:<CN-for-server-and-client-cert>]
To generate SSL certificates on a Linux BigFix root server, run this command:
BESAdmin -generateplugincertificates -certificatespath=<path-to-store-certs> [-commonname:<CN-for-server-and-client-cert>
  • For commonname, use the FQDN name of the MDM Server.
  • These commands work only if path-to-store-certsdirectory exists.
The following SSL certificates are generated in the folder that you created:
  • ca.cert.pem
  • client.cert.pem
  • client.key
  • server.cert
  • server.key
Note: You will be using the preceding SSL certificates and keys when you install the MDM Plugin and MDM Server.
MDM Server certificate
Customers must obtain a CA-signed domain SSL certificate for the MDM Server in production. The endpoints need a trusted CA SSL certificate to enroll and communicate with the MDM Server. The SSL certificate must be available in the /var/opt/BESUEM/certs directory before you start the services. All the certificates are deployed through the MDM Server installation Fixlets.
If you are using the staging and lab environment for Windows MDM support only, self-signed certificates must be generated as follows:
  • Run the following command on any RHEL Server in the OpenSSL command-line interface to generate mdmserver.key and mdmserver.crt files in the directory specified. You will need this SSL certificate and key when you are ready to deploy the MDM Server.
    DNSNAME=<MDM_FQDN_HOSTNAME>; (cat /etc/pki/tls/openssl.cnf; printf "\n[SAN]\nsubjectAltName=DNS:$DNSNAME\n") | openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -sha256 -keyout mdmserver.key -out mdmserver.crt -subj "/CN=$DNSNAME" -config /dev/stdin

Note: If you are using macOS 10.15 or later, Self-Signed Certificates created using command-line interface does not work for macOS MDM. In this case, you must use a trusted CA certificate.