Novell Home

AppNote: Installing ZENworks 10 Configuration Management using External Certificates

Novell Cool Solutions: AppNote
By Jared Jennings

Digg This - Slashdot This

Posted: 29 Aug 2007
 

This document details how to use a Microsoft Certificate Authority (CA) or Novell eDirectory Certificate Authority to sign the required certificates for ZCM. The CA would be something that could or might be installed on a Primary Domain Controller in your Active Directory infrastructure, which is also installed by default with Novell eDirectory.

This process does use a third-party product, which is free, but could be considered a bit cumbersome. Sorry, but I haven't found the MS equivalent with certutil and certreq. I would be most appreciative if someone were able to help me with that. (If you know, send the answer here.)

This document contains two different sections, one to be used when using a Windows Certificate Authority and the other to be used when using Novell eDirectory Certificate Authority.

Using an External Windows Certificate Authority

Use openSSL to sign the private key and generate the certificate request to be signed by the CA. If you are installing ZCM on a Linux OS, openSSL is probably already installed. If you are installing to a Windows OS, a Win32 port of c:\openssl\bin\openssl can be downloaded and used.

You can find the Win32 port here. Run through the basic install, accepting the defaults.

Once it's downloaded and installed, I prefer creating a folder to hold all the certificate files that are created.

  1. Open a command window, (start -> run -> cmd ->)



  2. Change to the ROOT of the system drive. In Windows, this would be c:\

    Command: c:\

    Command: mkdir c:\ssl

    Command: c:\ssl


Now the current folder should be "c:\ssl"

Phase 1: Generate the Private Certificate Key and the Certificate Request

You will be asked for several pieces of information, the most important piece being the Common Name (YOUR name). This should be the full DNS name of the ZCM server. This is the DNS name which the managed devices will know the ZCM server by.

  1. Issue the following command to generate the Private Certificate Key.
    Command: c:\openssl\bin\openssl genrsa -out zcm.pem
  2. Now, generate the request.
    Command: c:\openssl\bin\openssl req -new -key zcm.pem -out zcm.req

Here is what I provided for the questions when generating the request.

Phase 2: Signing the Certificate with the Windows Certificate Authority

  1. Now open the Certificate Authority Management Console
    <Start -> Administrative Tools -> Certificate Authority>
  2. Right-click the name of your Certificate Authority (mine is the name of my Domain).
  3. Select "All Tasks" -> "Submit New Request"



  4. Browse to c:\ssl\
  5. Select "zcm.req"

  6. The certificate is now placed in the "Pending Requests" in the CA, waiting for you to issue the certificate.
  7. Select "Pending Requests"
  8. The certificate being submitted for request should be the only certificate in the list, or if other requests exist, the ZCM certificate request should be the last in the list.
  9. Right-click the pending certificate, Select "All Tasks" -> "issue"



  10. The certificate is now moved to "Issued Certificates" and removed from "Pending Requests".
  11. The certificate must now be exported, which makes the exported certificate your "SSL Signed Certificate".
  12. Right-click the last certificate in the "Issued Certificates" - this should be the ZCM certificate. Select "Open".



  13. This will display the general details of the certificate. You will see that the certificate was issued to my ZCM server "windows-temp.jaredjennings.org".
  14. Select the "Details" tab.



  15. Select "Copy to File".
    This is so that you can copy the signed certificate to c:\ssl\zcmSignedKey, which will be used in the install.
  16. Specify the format of the file to be "DER encoded binary X.509 (.cer)".



  17. Specify a file name, I specified c:\ssl\zcmSignedSSL (the extension "cer" will be automatically added).



  18. The Certificate Authority must also be exported. In Novell / eDirectory camps, this is known as the ROOT certificate.
  19. Right-click the CA. (In my case, this is "Jared Jennings".)



  20. Select "Properties".
  21. Select "View Certificate".
  22. Select "Details" tab.
  23. Select "Export to File".
  24. Specify the same format as before.
  25. Specify a file name. I specified c:\ssl\ca.

Now, you have two of the three required files. Converting the Private Certificate that was generated in the very first step to PKCS8 from DER is the final step and will provide us with a third file.

  1. Go back to the command prompt, in the c:\ssl directory, and issue the following command.
    Command: c:\openssl\bin\openssl pkcs8 -topk8 -nocrypt -in zcm.pem -inform PEM -out zcmPrivate_key.der -outform DER

Now, you have the three required files to install ZCM 10 with an External CA.

The final three files are:

1.c:\SSL\zcmPrivate_key.der
2.c:\SSL\zcmSignedSSL.cer
3.c:\SSL\CA.cer

  1. During the ZCM install, after selecting "External CA" Specify the Signed SSL Certificate and the Private Certificate.



  2. On the following page of the install, specify the CA certificate "c:\ssl\CA.cer", which, remember, is also the ROOT certificate.

You have now finished "Using an External Windows Certificate Authority". The certificate configuration is done and the ZCM 10 install will begin copying files.

The next section covers how to generate certificates using Novell eDrectory's Certificate Authority instead of using a Windows Certificate Authority.

Using an External Novell eDirectory Certificate Authority

Use openSSL to sign the private key and generate the certificate request to be signed by the CA. If you are installing ZCM on a Linux OS, openSSL is probably already installed. If you are installing to a Windows OS, a Win32 port of c:\openssl\bin\openssl can be downloaded and used.

You can find the Win32 port here. Run through the basic install, accepting the defaults.

Once downloaded and installed, I prefer creating a folder to hold all the certificate files that are created. Open a command window, (start -> run -> cmd ->).

Command: mkdir c:\ssl

Command: cd \

Command: cd SSL

Now the current folder should be "c:\SSL".

Phase 1: Generate the Private Certificate Key and the Certificate Request

You will be asked for several pieces of information, the most important piece being the Common Name (YOUR name). This should be the full DNS name of the ZCM server. This is the DNS name which the managed devices will know the ZCM server by.

  1. Issue the following command to generate the Private Certificate Key.
    Command: c:\openssl\bin\openssl genrsa -out zcm.pem
  2. Now, generate the request.
    Command: c:\openssl\bin\openssl req -new -key zcm.pem -out zcm.req
  3. Here is what I provided for the questions when generating the request.

Phase 2: Signing the Certificate with the eDirectory Certificate Authority

  1. Once the Private Certificate Key and the Certificate Request have been generated, open ConsoleOne.
  2. Select "tools" -> "Issue Certificate".



  3. Browse and select the c:\ssl\zcm.req certificate request.



  4. On the next screen, specify SSL or TLS.
    Note: I am not completely certain about this key type select and am verifying this with Novell. It does seem to work though. :)



  5. On the next screen, I specified that I would be using the certificate for at least 5 years.


  6. Specify the certificate type as "binary DER format".
  7. Save the Certificate Key as c:\SSL\zcmSignedSSL.cer.
  8. This file now becomes the "Signed SSL Certificate" which the ZCM install will use.



  9. Finally, export the ROOT CA.



    My CA is JaredJennings-Tree...
  10. Select "Properties" of the certificate.
  11. Select the "Certificates" -> "Self Signed Certificate" tab.



  12. Select "Export" to save the CA to a file to be used by the ZCM install.
  13. Do not export the Private Key with the Certificate.



  14. Save the Certificate in "binary DER format".
  15. Save the certificate as c:\ssl\CA.CER.

Now, you have two of the three required files. Converting the Private Certificate that was generated in the very first step to PKCS8 from DER is the final step and will provide us with a third file.

  1. Go back to the command prompt, in the c:\ssl directory, and issue the following command.
    Command: c:\openssl\bin\openssl pkcs8 -topk8 -nocrypt -in zcm.pem -inform PEM -out zcmPrivate_key.der -outform DER

Now, you have the three required files to install ZCM 10 with an External CA.

The final three files are:

4.c:\SSL\zcmPrivate_key.der
5.c:\SSL\zcmSignedSSL.cer
6.c:\SSL\CA.cer

  1. During the ZCM install, after selecting "External CA" specify the Signed SSL Certificate and the Private Certificate.



  2. On the following page of the install, specify the CA certificate "c:\ssl\CA.cer", which, remember, is also the ROOT certificate.

You have now finished the section, "Using an Novell eDirectory Certificate Authority". The certificate configuration is done and the ZCM 10 install will begin copying files.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell