MDM SSL certificates

SSL Certificates are required to authenticate the Plugin to the MDM Server.

MDM Client Auth certificate
For secure communication, you must generate the certificates through the options when you run BESAdmin.sh command on the BigFix root server. Before you run the command to generate the SSL certificates, create a directory. All the generated SSL certificates after you run the command are stored in the directory that you create.
Note:
  • You must have a reachable DNS host name to run the commands in the BES Admin tool to generate certificates.
To generate SSL certificates on a Windows BigFix root server, run this command:
BESAdmin.exe /generateplugincertificates /certificatespath:<path-to-store-certs> [/commonname:<CN-for-server-and-client-cert>]

To generate SSL certificates on a Linux BigFix root server, run this command:
BESAdmin.sh -generateplugincertificates -certificatespath=<path-to-store-certs> [-commonname:<CN-for-server-and-client-cert>
Note:
  • For commonname, use the FQDN name of the MDM Server.
  • These commands work only if path-to-store-certs directory exists.
The following SSL certificates are generated in the folder that you created:
  • ca.cert.pem
  • client.cert.pem
  • client.key
  • server.cert
  • server.key
Note: You will be using the preceding SSL certificates and keys when you install the MDM Plugin and MDM Server.
MDM Server certificate
Customers must obtain a CA-signed domain SSL certificate for the MDM Server in production. The endpoints need a trusted CA SSL certificate to enroll and communicate with the MDM Server. The SSL certificate must be available in the /var/opt/BESUEM/certs directory before you start the services. All the certificates are deployed through the MDM Server installation Fixlets or through WebUI installation.
MDM Server installation requires the following information:
  • MDM Server TLS certificate chain with a .crt or .pem extension
  • MDM Server TLS private key with a .key extension
  • MDM Server TLS private key password
Note: Depending on the trusted CA you use, if this information is in a format other than the required format, you need to work offline to get it in the required format before installing the MDM server.
MDM Server TLS Certificate Content
The MDM Server certificate must be available in a .crt or .pem format, and must take the form of a certificate chain containing the following:
  • The actual MDM TLS certificate provided by the trusted CA
  • Any intermediate certificates provided by the trusted CA
  • The trusted CA root certificate
If the trusted CA does not provide such a chain directly, concatenate the individual .crt or .pem files into a single certificate chain and provide it as the MDM Server’s TLS certificate during MDM Server installation.
The following command is an example for concatenating certificates on Linux:
cat <server TLS .crt> [intermediate .crt] <CA root .crt> > mdmserver.crt
This may require additional action on one or more files provided by a trusted CA to extract the various certificates and keys needed to build the required chain.