Client certificate

Client Certificate Validity Period

Up to product version 10.0.6, BigFix Agents have client certificates with a validity period of 10 years.

Since the modern industry standards provide for SSL/TLS certificates with a maximum validity of 13 months, starting from product version 10.0.7, BigFix Agents will automatically have their client certificates updated to comply with the 13-month lifespan standard.

BigFix Agent Automatic Transition to 13-Month Client Certificates

On its first registration attempt, after being upgraded to version 10.0.7, a BigFix Agent will autonomously switch from a 10-year client certificate to a 13-month certificate, provided that the relay-chain, up to the BigFix Server, to which the Agent is connected, is entirely at 10.0.7 level (or later).

As long as this condition is not met, the BigFix Agent will keep the 10-year certificate, and will continue to use it as needed without this implying any limitation or compromising the BigFix Agent ability to autonomously switch to the 13-month certificate at a later time when it will have the possibility to perform a registration through a relay-chain that is entirely at 10.0.7 level (or later).

When a BigFix Agent 10.0.7 switches from the 10-year client certificate to the 13-month one, it will log the following two lines to the standard client log file (YYYYMMDD.log):

The current Client certificate validity (3650 days) does not match the value 
specified in the masthead (398 days), starting the certificate update process now.
Completed Client certificate update.

BigFix Agent Automatic Maintenance of 13-Month Client Certificates

After a BigFix Agent switches to a 13-month client certificate, it will autonomously take care of keeping it up-to-date by requesting a certificate update when the expiration date of the current certificate approaches. This would normally occur 45 days before the expiration date to have sufficient time span to deal with possible periods of shutdown, impediments, or unforeseen events.

When a BigFix Agent, at 10.0.7 level, gets an update of its 13-month client certificate, it will log the following two lines to the standard client log file (YYYYMMDD.log):

Client Certificate expires in N days, HH:MM:SS, refreshing it now.
Completed Client certificate update.

If a BigFix Agent is unable to update its certificate before it expires, if it is connected to an Authenticating Relay, it will be necessary to run the manual procedure, which is described in How to Recover from an Expired Client Certificate, to allow it to reconnect to the BigFix deployment.

How to Monitor the Status of Client Certificates

How to Recover from an Expired Client Certificate

If a BigFix Agent has an expired client certificate and it can only reach an Authenticating relay on the network, you can manually run the following command on the BigFix Agent to allow it getting an updated certificate through the Authenticating relay:

BESClient -update-certificate <password> http://<relay>:52311

The command includes a password that the Authenticating relay will verify before forwarding the update request upwards. The Authenticating relay must be at 10.0.7 level (or later).

How to Force the Update of the Client Certificate

You have the possibility to force a BigFix Agent at 10.0.7 level to update its client certificate at any given moment by targeting it with an action that uses the following new actionscript command:

client certificate refresh

Since BigFix Agents will be able to maintain their client certificates autonomously, under normal conditions BigFix Operators are not expected to have to use this command. However, there might be cases where this command helps, for instance to address specific situations where the 45-day certificate update window is not suitable to guarantee that certificates will not expire, and so a BigFix Operator might want to anticipate the certificate update.