Step 1: Creating private keys and certificates

To improve security, create your own private key and a certificate instead of using the self-signed ones that are available in BigFix Inventory by default. You can use openSSL to create a private key and a certificate signing request (CSR) that can be transformed into a certificate after it is signed by a certificate authority (CA).

Before you begin

This procedure is valid for all operating systems that support openSSL.

If you are generating an encrypted private key in the pkcs8 format, add the following line to the installation_dir/jre/lib/security/ file:
Then, restart the BigFix Inventory server.


  1. Open the command line.
  2. Create a new private key.
    openssl genrsa -des3 -out key_name.key key_strength -sha256
    For example, openssl genrsa -des3 -out private_key.key 2048 -sha256
    Enables password for the private key. This is an optional parameter. You can also enable password for an existing private key by using the following command:
    openssl rsa -des3 -in path_to_private_key.key -out key_name.key
    File name for your new private key.
    Key strength, measured in bits. The maximum value that you can use for BigFix Inventory is 2048 bits.
  3. Create a certificate signing request (CSR). The request is associated with your private key, and is later transformed into a certificate.
    openssl req -new -key path_to_private_key.key -out csr_name.csr
    For example, openssl req -new -key private_key.key -out CSR.csr
    Path to your private key.
    File name for your certificate signing request (CSR).
    After you run the command, you are asked to provide information that helps your users to identify your certificate and ensure that it can be trusted. The following excerpt from the command line is filled in with sample information:
    Country Name (2 letter code) [XX]: US
    State or Province Name (full name) []: New York
    Locality Name (eg, city) [Default City]: New York
    Organization Name (eg, company) [Default Company Ltd]: HCL (eg, section) []: Software
    Common Name (eg, your name or your server's hostname) []:
    Email Address []:


After completing these steps, two files are created, your private key (.key) and the certificate signing request (.csr).

What to do next

Sign the request to transform it into the certificate. For information about how to create a private certificate authority (CA) to sign the request, see Signing certificates.