Renewing Self-Signed SSL Certificates

An expired certificate can cause network communication issues between holders of encryption and de-encryption key pairs, which in this case come from the computers and the IBM® BigFix server. Therefore, renewing expired certificates ensures a secure and continuous connection with the trusted root.

About this task

A Secure Socket Layer (SSL) certificate is, by default, generated automatically during the configuration of the Software Distribution Self Service Portal (SSP). These SSL certificates are self-signed and must be installed on the computers before they can be managed.

Self-signed SSL certificates (ssl.cert) are verified by the Certificate Authority (CA) certificates (ca.cert), which are generated during the configuration of the management extender. Therefore, an expired CA certificate can result to computers not being able to validate messages from its trusted source. End users must download an updated CA certificate.

Deploying a new CA certificate requires end user involvement. If you deploy an action that contains the new CA, the computer still will not recognize it after the original CA expires because it depends on the (now expiring) CA. The only way to avoid continued user involvement is by using officially signed SSL certificates.

Note: Due to the complications involved with managing self-signed SSL certificates, consider purchasing officially signed SSL certificates by a known authority.
The following steps are specific for self-signed certificates.

Procedure

  1. Create new SSL certificates.
    1. Stop the IBM Endpoint Manager for Mobile Devices service (BESiOSServer.exe).
    2. Open the command line with Administrator privileges.
    3. Go to C:\Program Files\BigFix Enterprise\Management Extender\MDM Provider.
    4. Generate an SSL certificate by entering the following command: utils\ssp.bat recreate_certs <hostname>:<port>
    5. Start the IBM Endpoint Manager for Mobile Devices service (BESiOSServer.exe).

    These certificates are implicitly not trusted by web browsers. They must be manually added to the trusted certificate store on the endpoint. No endpoints can communicate with the server only when the new CA certificate is installed.

  2. Install the new CA certificate on the end user's browser.

    The newly generated SSL certificate, which you created in Step 1, comes from a newly generated CA certificate. All managed computers must install this new CA before they can trust the new SSL certificates. End users must download an updated CA certificate.

    1. From a web browser, enter the appropriate URL. The syntax of the URL is as follows: .
      https://<ssphostname>:<port>/ssp>

      A security warning is prompted when the SSP is first accessed after the CA certificate is renewed.

    2. Export the CA certificate.
      The steps can vary across browsers.
      For example, in Chrome, click the Lock icon beside the URL and click Certificate Information. To export the certificate, click Copy to File.
    3. Double-click the certificate to start the installation.