1.2 Configuring the Certificate Authority

When you install ZENworks Configuration Management for the first time, you are prompted to either create an internal Certificate Authority (CA) or provide the appropriate certificate information for an external CA. Based on how the certificate authority is initially installed and configured for ZENworks, the Certificates page will display the active certificate authority (CA). The active CA can be either internal or external.

  • Internal Certificate Authority: Certificates are issued by a ZENworks server that is assigned the role of certificate authority.

  • External Certificate Authority: Certificates are issued by an external server. The external server certificate can be issued by a subordinate CA or a root CA. ZENworks supports the use of wildcard certificates.

This section provides information about the current Certificate Authority and it also provides information about the various operations that can be performed on the CA:

1.2.1 Internal Certificate Authority

Internal certificates are issued by a ZENworks server that has the CA role. ZENworks enables you to perform the following operations for an Internal CA:

1.2.2 External Certificate Authority

External certificates are issued by an external certificate authority (CA), for example, Verisign. Using ZENworks Control Center, you can change the current external CA to another external or internal CA. For more information, see Changing the Certificate Authority.

NOTE:It is recommended that you remint the certificate before it expires.

1.2.3 Viewing the Certificate Details

To view the certificate details, in the Zone Certificate Authority pane of the Certificates page, click the View Certificate button, the following information is displayed:

  • Subject: The CA server to whom the certificate is issued.

  • Issued by: The CA that issued the certificate.

  • Valid from: The date and time from which the certificate is valid.

  • Expires: The date and time at which the certificate will expire.

  • Key length: The key length that was used to create the certificate.

  • MD5 Fingerprint: The MD5 digest of the certificate data.

  • SHA1 Fingerprint: The SHA1 digest of the certificate data.

  • Certificate Status: Indicates whether the certificate is valid or has expired.

1.2.4 Changing the Certificate Authority

This feature enables you to change the current certificate authority (CA) to another internal or external CA.

Changing the CA to Internal

Using this feature, you can either change the existing external CA to an internal CA or you can change the existing internal CA to another internal CA.

When you change the CA, the Primary Server and Authentication Satellite Server certificates will get reminted automatically.

To change the CA to Internal:

  1. In the Zone Certificate Authority pane, click the Change CA button.

  2. In the Change Certificate Authority dialog box, confirm that you want to change the CA by selecting Yes, I want to change the certificate authority. The remaining fields are then activated.

  3. From the drop-down list, select Change to internal certificate authority.

  4. Specify the following information:

    • Certificate server: Browse and select the Primary Server, which must be the new CA.

    • Subject: Specify a subject name for the CA. By default, the zone name is displayed.

    • Key Length: Specify the key length.

    • Valid for (years): Specify the number of years for which the certificate should be valid. Specify a value between 1 to 10.

  5. Select Include any additional DNS names for each server, if you want additional DNS names configured for the servers to be part of the Subject Alternative Name of their respective certificates.

    NOTE:The additional DNS names for a server can be configured by selecting the Settings tab of the device.

  6. Click Next.

  7. Specify the Certificate activation date and time. As a part of certificate activation, the new certificates will be effective and from then onwards, the old certificates will not be used for communication between devices.

    You can select any date that is prior to the expiry of the current CA. Ensure that you include adequate time for the associated system update to be applied on all the devices.

    IMPORTANT:If the certificate activation time passes before the system update is applied on the devices, these devices will not be able to communicate with Primary Servers on which the new certificate has already been activated. You will then need to run the Certificate Remint Tool. This tool can be downloaded from the following location http://<ip of primary server>:<port>/zenworks-setup. This tool will be available for download on all the Primary Servers after the update is created and assigned. It will not be available when the certificate update is baselined and deleted.

    If the CA has already expired, the activation time will be labeled as Immediate and you need to run the Certificate Remint Tool on all the devices. On the new CA server, the Certificate Remint Tool will be launched automatically.

  8. Click Finish.

    A message is displayed in the Zone Certificate Authority pane indicating that the Change CA operation has been initiated. As part of the Change CA process, ZENworks will create a system update and the content of the system update will be replicated to all the Primary Servers and Content Satellite Servers in the zone, based on the configured content replication schedule. The CRT will be created on the new CA server. On other Primary Servers, it will be created only after the SU is assigned, to ensure that the content is replicated.You can click the current replication status link to view the list of servers along and their respective content replication statuses. After the replication is complete, the system update will be automatically assigned to all devices in the zone.At any time before the auto assignment happens, you can assign the system update manually by clicking the Assign Now link even though the content is not replicated to all content servers. The system update will get assigned to all devices in the zone. For successful completion, we recommend that you ensure the content is available on the content servers before assigning the system update.

    If the system update fails because the content is not available, you need to redeploy the system update on the failed devices.

    IMPORTANT: As soon as the SU is assigned, the CRT will run on the new CA server, automatically. You need to remint the certificate on that server first and then all other Primary Servers should be reminted and after that the other devices, in any order.

    The system update status for the Primary Servers and Authentication Satellite Servers can be viewed in the ZENworks Server SSL Certificate panel. The future certificate for these servers can be viewed from the Options column. The system update status for the other devices can be tracked from the System Updates page.

Changing the CA to External

Using this feature, you can either change the existing internal CA to an external CA or you can change the existing external CA to a new external CA.

To change the existing CA to External:

  1. In the Zone Certificate Authority pane, click the Change CA button.

  2. In the Change Certificate Authority dialog box, confirm that you want to change the CA by selecting Yes, I want to change the certificate authority. The remaining fields are then activated.

  3. From the drop-down list, select Change to external certificate authority.

  4. Click Browse to select and upload the trusted root certificate provided by the external CA.

    NOTE:

  5. Click Next. The Generate CSR screen is displayed.

  6. Select how you want to generate the CSR for each server:

    • I will generate a CSR for each server manually: If you want to generate the CSR for each server manually, click Next and go to Step 7.

      If you want to use external wildcard certificates for any of the Primary Servers, then you need to use this option and generate the CSR using any external tool such as Open SSL. ZENworks does not support the generation of CSR for wildcard certificates. For more information, see Generating a Certificate Signing Request (CSR).

    • Let ZENworks generate a CSR automatically for each server: If you want ZENworks to generate the CSR for all servers automatically, specify the following information and click Next:

      • Organization: Organization name

      • Organization Unit: Organizational unit name, such as a department or division

      • City/Locality: City name or location

      • State/Province: State or province name

      • Country/region: Country or region

      • Key Length: Specify the key length

      • Include any additional DNS names for each server: Select this option if you want the additional DNS names configured for the servers to be part of the Subject Alternative Name of their respective certificates.

        NOTE:The additional DNS names for a device can be configured by selecting the Settings tab of the Primary Server.

  7. Specify the Certificate activation date and time.

    You can select any date that is prior to the expiration date of the current CA. Ensure that you include adequate time for the associated system update to be applied on all the devices.

    IMPORTANT:If the certificate activation time passes before the system update is applied on the devices, these devices will not be able to communicate with the Primary Servers on which the new certificate has already been activated. You will then need to run the Certificate Remint Tool on these devices.

    If the CA has already expired, the activation time will be labeled as Immediate, and you will need to run the Certificate Remint Tool on all the devices, except the server on which the remint was initiated. On this server, the Certificate Remint Tool will be launched automatically.

    IMPORTANT: As soon as the SU is assigned, the CRT will run on the new CA server automatically. You need to remint the certificate on that server first and then all other Primary Servers should be reminted and after that the other devices in any order.

  8. Click Finish.

    A message is displayed in the Zone Certificate Authority pane indicating that the Change CA operation has been initiated. As part of the Change CA process, ZENworks will create a system update whose content will be replicated to all the Primary Servers and Content Satellite Servers in the zone, based on the configured content replication schedule. The Certificate Remint Tool (CRT) will be created on the server on which the remint operation was initiated. On other Primary Servers, it will be created only after the SU is assigned, to ensure that the content is replicated.You can click the current replication status link to view the list of servers along and their respective content replication statuses. After the replication is complete, the system update will be automatically assigned to all devices in the zone.

    At any time before the auto assignment happens, you can assign the system update manually by clicking the Assign Now link. This is useful if some of the content servers cannot replicate content due to various reasons.The system update will get assigned to all devices in the zone, ignoring the system update stages, if any, in the zone. For successful completion, we recommend that you ensure the content is available on the content servers before assigning the system update.

    NOTE:If the system update fails because the content is not available, you need to redeploy the system update on the failed devices.

    The system update status for the Primary Servers and Authentication Satellite Servers can be viewed in the ZENworks Server SSL Certificates panel. The Options column will enable you to download the CSRs, if any, and also view the future certificates. The system update status for the other devices can be tracked from the System Updates page.

  9. If you selected the I will generate a CSR for each server manually option in Step 6, you need to generate the certificates for the Primary Servers and Authentication Satellite Servers manually. The certificate (the complete certificate chain) and the private key must then be placed in the remint repository folder of each of these servers:

    • On Windows: %zenworks_home%\remint-repo

    • On Linux: /opt/novell/zenworks/remint-repo

    The file name has to be server and the extension can have the .der, .cer, .crt, .p7b, .pem, .cert extensions.The certificate can be der or pem encoded. The private key file name should be key.der.

    If you selected the Let ZENworks generate a CSR automatically for each server option, you have to download the CSR for each server, get them signed by the CA, and import the future certificates using the Import Certificate action.

    The activator will check the server certificate in the database and if it is imported into the database, it will serialize the server certificate as server.cer and place it in the remint repository:

    • On Windows: %zenworks_home%\remint-repo

    • On Linux: /opt/novell/zenworks/remint-repo

    The CA certificate will be serialized in the same directory while applying the system update as ca.cert.

    NOTE:The Generate CSR action can be used in the following scenarios:

    • You selected the I will generate a CSR for each server manually option in Step 6, but you want to use ZENworks to generate CSRs for one or more devices. In this case, you will need to import the certificate for the device using the Import Certificate action.

    • You selected the Let ZENworks generate a CSR automatically for each server option in Step 6, but you want to override the CSR for one or more devices. You can then use the newly generated CSR to request the future certificate from the CA.

    To generate CSRs, select one or more servers, then click Generate CSR from the Actions menu. For more information, see Generating the CSR.

    IMPORTANT:If you have 10.3.4 devices in the zone, ensure that all the managed devices are refreshed after all the Primary Servers’ future certificates are available in the database. For all other devices, they need to be refreshed if the subject has been changed for any of the Primary Server certificates. If the devices are not refreshed, communication between the managed devices and the Primary Servers will break.

1.2.5 Canceling a Change CA

When you initiate a Change CA, in the Zone Certificate Authority pane, a message is displayed indicating that the Change CA operation has been initiated. This message includes a Cancel button. To cancel the Change CA operation:

  1. Click the Cancel button. A dialog is displayed asking you to confirm that you want to cancel the operation.

  2. After you confirm, a message is displayed indicating the progress of the cancel operation. If the cancel is successful, all the buttons in the Zone Certificate Authority pane are enabled. If the cancel operation fails, a failure message is displayed. You can clear the message and try the Cancel operation again.

    The Change CA operation is canceled successfully. The Cancel button will be disabled ten minutes before the activation time.

1.2.6 Moving the CA Role

When hardware has to be upgraded, or when its approaching end-of-life, or for various other reasons, you may need to select a new certificate authority for the zone. To move the certificate authority, you must select a new Primary Server that will serve as the certificate authority, henceforth, for the zone.

To move the certificate:

  1. Click Configuration > Certificates.

  2. Click the Move CA Role button.

  3. In the Move Certificate Authority dialog, click the browse icon to select the Primary Server, which must be the new CA.

  4. Select the required server from the list of Primary Servers.

  5. Click OK.

    The Certificate server field in the Zone Certificate Authority panel will reflect the selected server as the new CA.

1.2.7 Taking a Backup of the Certificate Authority

Using the Backup CA feature you can backup the internal certificate authority for ZENworks.

To backup the internal CA certificate:

  1. In the Zone Certificate Authority pane. click Backup CA.

  2. Specify a Passphrase.

    This passphrase is required when you want to perform a restore. The passphrase should contain at least 10 characters.

  3. Re-type the passphrase in the Confirm field.

  4. Click OK.

    A zip file will be downloaded to the browser’s default download directory or the user will be prompted to save the zip file in a particular directory.

1.2.8 Restoring the Certificate Authority

Using the Restore CA feature you can restore the internal certificate authority for ZENworks on to the same server from where you have created a backup or on to another server.

To restore the internal CA certificate:

  1. In the Zone Certificate Authority pane, click Restore CA.

  2. Click Browse to navigate to the backup file, then select it.

  3. Click the browse icon to select the Primary Server to which you want to restore the backed up CA.

    After the CA is restored, the server will be assigned the CA role.

    If the CA was restored on the server that was used to backup the file, then the CA role will be assigned to the same server. However, if you selected a new server to restore the CA, the role will be moved to the new server.

  4. Specify the Passphrase that was used while creating the backup.

  5. Click OK.

    The Certificate server field in the Zone Certificate Authority panel will now reflect the chosen server as the new CA.

1.2.9 Reminting the Certificate Authority

If the certificate authority certificate expires, devices will be unable to establish an SSL connection to the server. It is important that before this occurs, you renew or remint the internal CA certificate and distribute this certificate to your managed devices.

When you remint the CA, the Primary Server and Authentication Satellite Server certificates will get reminted automatically.

NOTE:In the case of an internal CA, one of the Primary Servers in the zone will have the CA role. The certificates for all Primary Servers will be issued by the CA Server.

To remint the internal CA certificate:

  1. In the Zone Certificate Authority pane, click Remint CA.

  2. Confirm that you want to remint the CA by selecting Yes, I want to remint the certificate authority. The remaining fields are activated.

  3. Specify the following information:

    • Common name: Specify a common name for the CA. By default, the zone name is displayed.

    • Key length: Specify the key length.

    • Valid for (years): Specify the number of years for which the certificate should be valid. Specify a value between 1 to 10.

  4. Select Include any additional DNS names for each server, if you want the additional DNS names configured for the servers to be part of the Subject Alternative Name of their respective certificates.

    NOTE:The additional DNS names for a device can be configured by selecting the Settings tab of the device.

  5. Specify the Certificate activation date and time.

    You can select any date that is prior to the expiration of the current CA. Ensure that you include adequate time for the associated system update to be applied on all the devices.

    IMPORTANT:If the certificate activation time passes before the system update is applied on the devices, these devices will not be able to communicate with Primary Servers on which the new certificate has already been activated. You will then need to run the Certificate Remint Tool on these devices.

    If the CA has already expired, the activation time will be labeled as Immediate, and you will need to run the Certificate Remint Tool on all the devices apart from the new CA server. On the new CA server, the Certificate Remint Tool will be launched automatically.

  6. Click OK.

    A message is displayed in the Zone Certificate Authority pane, indicating that the Remint CA operation has been initiated. As part of the Remint CA process, ZENworks will create a system update, the content of which will be replicated to all the Primary Servers and Content Satellite Servers in the zone, based on the configured content replication schedule. You can click the current replication status link to view the list of servers along with their respective content replication statuses. After the replication is complete, the system update will be automatically assigned to all devices in the zone. The CRT will be created on the new CA server. On other Primary Servers, it will be created only after the SU is assigned, to ensure that the content is replicated.

    At any time before the auto assignment happens, you can assign the system update manually by clicking the Assign Now link. The system update will get assigned to all devices in the zone. For successful completion, we recommend that you ensure that the content is available on the content servers before assigning the system update.

    NOTE:If the system update fails because the content is not available, you need to redeploy the system update on the failed devices.

    The system update status for the Primary Servers and Authentication Satellite Servers can be viewed in the ZENworks Server SSL Certificate panel. The future certificate for these servers can be viewed from the Options column. The system update status for the other devices can be tracked from the System Updates page.

    IMPORTANT:If the devices are 10.3.4 make sure all the managed devices are refreshed after all the Primary Servers’ future certificates are available in the database. For all other devices, they need to be refreshed if the subject has been changed for any of the Primary Server certificates. If the devices are not refreshed, communication between the managed devices and the Primary Servers will break.

1.2.10 Canceling a CA Remint

When you Initiate a CA remint, in the Zone Certificate Authority pane, a message is displayed indicating that the CA remint operation has been initiated. This message includes a Cancel button. To cancel the CA remint:

  1. Click the Cancel button. A dialog is displayed asking you to confirm that you want to cancel the operation.

  2. After you confirm, a message is displayed indicating the progress of the cancel operation. If the cancel is successful, all the buttons in the Zone Certificate Authority pane are enabled. If the cancel operation fails, a failure message is displayed. You can clear the message and try the Cancel operation again.

    The CA remint operation is canceled successfully. The Cancel button will be disabled ten minutes before the activation time. Though you cannot cancel the CA Remint, you can cancel the system-update for the device using the Ignore Device option from System Update page.