Client certificate

To comply with the modern industry standards, starting from product version 10.0.7, the client certificate of the BigFix Agent will have a validity period of 13 months.

Except for a few specific cases described in the following sections, the transition to the 13-month client certificate and its subsequent management will be automatic and will not require any manual intervention.

Client Certificate Validity Period

Up to product version 10.0.6, BigFix Agents have client certificates with a validity period of 10 years.

Since the modern industry standards provide for SSL/TLS certificates with a maximum validity of 13 months, starting from product version 10.0.7, BigFix Agents will automatically have their client certificates updated to comply with the 13-month lifespan standard.

BigFix Agent Automatic Transition to 13-Month Client Certificates

On its first registration attempt, after being upgraded to version 10.0.7, a BigFix Agent will autonomously switch from a 10-year client certificate to a 13-month certificate, provided that the relay-chain, up to the BigFix Server, to which the Agent is connected, is entirely at 10.0.7 level (or later).

As long as this condition is not met, the BigFix Agent will keep the 10-year certificate, and will continue to use it as needed without this implying any limitation or compromising the BigFix Agent ability to autonomously switch to the 13-month certificate at a later time when it will have the possibility to perform a registration through a relay-chain that is entirely at 10.0.7 level (or later).

When a BigFix Agent 10.0.7 switches from the 10-year client certificate to the 13-month one, it will log the following two lines to the standard client log file (YYYYMMDD.log):

The current Client certificate validity (3650 days) does not match the value 
specified in the masthead (398 days), starting the certificate update process now.
Completed Client certificate update.

BigFix Agent Automatic Maintenance of 13-Month Client Certificates

After a BigFix Agent switches to a 13-month client certificate, it will autonomously take care of keeping it up-to-date by requesting a certificate update when the expiration date of the current certificate approaches. This would normally occur 45 days before the expiration date to have sufficient time span to deal with possible periods of shutdown, impediments, or unforeseen events.

When a BigFix Agent, at 10.0.7 level, gets an update of its 13-month client certificate, it will log the following two lines to the standard client log file (YYYYMMDD.log):

Client Certificate expires in N days, HH:MM:SS, refreshing it now.
Completed Client certificate update.

If a BigFix Agent is unable to update its certificate before it expires, if it is connected to an Authenticating Relay, it will be necessary to run the manual procedure, which is described in How to Recover from an Expired Client Certificate, to allow it to reconnect to the BigFix deployment.

How to Monitor the Status of Client Certificates

To monitor the status of the client certificate on the BigFix Agents of your deployment, you can activate the Client Certificate Information analysis of BES Support. For each BigFix Agent, the analysis will provide the following information:
  • Client Certificate Expiration Date: The expiration date of the client certificate.
  • Client Certificate Overall Validity: The overall validity of the client certificate.
  • Client Certificate Expires In: The remaining validity of the client certificate.

How to Recover from an Expired Client Certificate

If a BigFix Agent has an expired client certificate and it can only reach an Authenticating relay on the network, you can manually run the following command on the BigFix Agent to allow it getting an updated certificate through the Authenticating relay:

BESClient -update-certificate <password> http://<relay>:52311

The command includes a password that the Authenticating relay will verify before forwarding the update request upwards. The Authenticating relay must be at 10.0.7 level (or later).

The password on the Authenticating relay might be configured as:
  • A single password set through the client setting _BESRelay_Comm_ClientCertUpdatePassword to be defined on the relay.
  • A newline-delimited list of one-time passwords stored in a file named ManualUpdateCertificatePasswords and saved in the storage directory of the relay (value StoragePath of HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\BigFix\Enterprise Server\GlobalOptions).
Note: Passwords must have ASCII characters only.
Note: If you want to avoid specifying the clear-text password as part of the manual command, the following alternate syntax will prompt for entering the password without displaying it:
  • Windows: cmd /c BESClient.exe -update-certificate http://<relay>:52311
  • Linux: BESClient -update-certificate http://<relay>:52311
  • Mac: BESAgent -update-certificate http://<relay>:52311

How to Force the Update of the Client Certificate

You have the possibility to force a BigFix Agent at 10.0.7 level to update its client certificate at any given moment by targeting it with an action that uses the following new actionscript command:

client certificate refresh

Since BigFix Agents will be able to maintain their client certificates autonomously, under normal conditions BigFix Operators are not expected to have to use this command. However, there might be cases where this command helps, for instance to address specific situations where the 45-day certificate update window is not suitable to guarantee that certificates will not expire, and so a BigFix Operator might want to anticipate the certificate update.

Note: It is important to point out that the command will force the BigFix Agent to request a certificate update regardless of the version of its relay-chain. As a consequence, in case the relay-chain is not entirely at 10.0.7 level (or later), the command will make the BigFix Agent get an updated certificate with a validity of 10 years. In this case, the Agent will switch back to applying the logic, described in BigFix Agent Automatic Transition to 13-Month Client Certificates, which allows the transition from a 10-year certificate to a 13-month one.