11.0 Creating the SSL Certificate

ZENworks Primary Servers communicate with ZENworks managed devices using the HTTPS protocol. This secure communication requires that the ZENworks Management Zone have a defined Certificate Authority (CA) and that each Primary Server have its own server certificate issued by the zone's CA.

ZENworks includes an internal ZENworks CA. If you use the internal ZENworks CA, it is created during installation of the first Primary Server. Each subsequent Primary Server you install is issued a certificate signed by the ZENworks CA.

We recommend that you use the internal ZENworks CA unless your corporate security policies do not allow you to do so. The internal ZENworks CA lasts 10 years and simplifies use of various ZENworks features such as Remote Management. The certificate validity should be between 1 and 10 years. If you plan to use the server as an MDM server, then to ensure communication with iOS and Mac devices, the certificate validity should not exceed 2 years.

If you cannot use the internal ZENworks CA, you can use an external CA and provide external server certificates for each Primary Server you install. See the following sections for detailed instructions on using external certificates:

The following are the acceptable formats for Root certificate and Server certificate with Private Key:

  • Root certificate: The top-level certificate in the certificate tree issued by the CA that signed the Server certificate and any intermediate certificate chains. It supports the .pem, .crt, .cer, .der, .p7b, or .p7c file format.

  • Server certificate:It is a signed certificate that is used for the ZENworks server. It supports the .pem, .crt, .cer, .der, .p7b, or .p7c file format.

  • Private key: The private key file that is associated with the signed server certificate. It supports the .der file format.

You can convert your certificate or key to ZENworks acceptable formats using the openssl command line tool (available as part of most Linux distributions or as part of the cygwin tool set).

For example, convert your PEM encoded private key to DER encoded thusly:

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

PEM encoded certificate to DER encoded thusly:

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER