The Service Desk Appliance ships with a self-signed digital certificate. Instead of using this self-signed certificate, you must use a trusted server certificate that is signed by a trusted Certificate Authority (CA) such as VeriSign or Equifax, which is a paid service, or, if your organization permits, you can use free CA such as AD, eDir, openldap. Also, update your certificate when you update the Service Desk Appliance software.
Perform the following sections to change the digital certificate for your Service Desk Appliance. You can use the digital certificate tool to create your own certificate and then have it signed by a CA, or you can use an existing certificate and key pair.
You can perform the following using this page:
On the Service Desk Appliance home page, under Appliance Management, click Digital Certificates.
In the Key Store drop-down list, ensure that Web Application Certificates is selected.
Click File > New Certificate (Key Pair).
In the Key Certificate (Key Pair) page, specify the following information:
Alias: A name that you want to use to identify and manage certificate.
Validity (days): How long you want the certificate to be valid.
Key Algorithm: Select RSA or DSA.
Key Size: The required key size.
Signature Algorithm: The required signature algorithm.
Common Name (CN): This must match with the server name in the URL in order for browsers to accept the certificate for SSL communication.
Organizational Unit (OU): (Optional) Organizational unit name, such as a department or division.
Organization (O): (Optional) Organization name.
City or Locality (L): (Optional) City name.
State or Province (ST): (Optional) State or province name.
Two-letter Country Code (C): (Optional) Two-letter country code. For example, US
Click OK to create the certificate.
After creating the self-signed certificate, you can use the certificate in Service Desk.
However, you can get the certificate signed by a trusted CA. The signing of the certificate is an optional step but recommended. For information, see Officially Signing Your Certificate.
On the Digital Certificates page, select the certificate that is created, then click File > Certificate Requests > Generate CSR.
Share your digital certificate with a certificate authority (CA), such as VeriSign.
The CA accepts your Certificate Signing Request (CSR) and generates an official certificate based on the CSR information. The CA then shares the new certificate and certificate chain.
After receiving the official certificate and certificate chain:
Go to the Appliance Configuration page and click Digital Certificates.
Click File > Import > Trusted Certificate. Browse for the trusted certificate chain (trusted certificate chain, including intermediate certificate that is received from CA or subordinate CA) that you received from the CA, then click OK.
Select the self-signed certificate, then click File > Certification Request > Import CA Reply.
Browse for and upload the official certificate (Server Certificate) to be used to update the certificate information.
On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that stamped your certificate.
Activate the certificate, for information, seeActivating the Certificate.
When you are using an existing certificate and key pair, use a .P12 or .pfx key pair format.
On the Digital Certificates page, in the Key Store drop-down, select Web Application Certificate.
Click File > Import > Trusted Certificate. Browse for and select your existing certificate, then click OK.
Click File > Import > Trusted Certificate. Browse for and select your existing certificate chain for the certificate that you selected in Step 2, then click OK.
Click File > Import > Key Pair, then browse for and select .P12 or .pfx key pair file, specify password if required, then click OK.
Activate the certificate, for information see Activating the Certificate.
On the Digital Certificates page, in the Key Store drop-down, select Web Application Certificates.
Select the certificate that you want to activate, click Set as Active, then click Yes.
Verify that the certificate and the certificate chain were created correctly by selecting the certificate, then clicking View Info.
Restart the service.
All certificates that are included with the Oracle Java package that is bundled with the version of SLES that Service Desk Appliance ships with, are installed when you install Service Desk Appliance.
You can use the Digital Certificates tool on the Service Desk Appliance to remove certificates that are not used by your organization.
Also, you can use the Digital Certificates tool on the Service Desk Appliance to maintain the certificate store by removing certificates that are expired and then installing new certificates as required, according to your organization’s security policies.
To access the Digital tool:
On the Service Desk Appliance home page, under Appliance Management, click Digital Certificates.
In the Key Store drop-down, under Web Application Certificates, all certificates are displayed. Based on requirement, you can delete the unused certificates.
IMPORTANT:The active certificate must not be deleted.
Depending on your current certificate status, ZENworks Service Desk certificate can be renewed by following any of the following scenarios:
Share the CSR to the Certificate Authority.
Get the official server certificate and certificate chain based on CSR from CA
Import the certificate to ZENworks Service Desk by performing the following steps:
Go to the Appliance Configuration page and click Digital Certificates.
Click File > Import > Trusted Certificate. Browse for the trusted certificate chain that you received from the CA, then click OK.
Select the self-signed certificate, then click File > Certification Request > Import CA Reply.
Browse for and upload the official certificate to be used to update the certificate information.
On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that stamped your certificate.
Activate the certificate, for information, see Activating the Certificate.
On the Digital Certificates page, select the certificate that is created, then click File > Certificate Requests > Generate CSR.
Share the CSR to the Certificate Authority.
Get the official server certificate and certificate chain based on CSR from CA
Import the certificate to ZENworks Service Desk by performing the following steps:
Go to the Appliance Configuration page and click Digital Certificates.
Click File > Import > Trusted Certificate. Browse for the trusted certificate chain that you received from the CA, then click OK.
Select the self-signed certificate, then click File > Certification Request > Import CA Reply.
Browse for and upload the official certificate to be used to update the certificate information.
On the Digital Certificates page, the name in the Issuer column for your certificate changes to the name of the CA that stamped your certificate.
Activate the certificate, for information, see Activating the Certificate.
NOTE:As recommended by top CAs, even though we are renewing the certificate, but in-turn we are creating the certificate every time.
Following are the ZENworks Service Desk ciphers that available in the server.xml file:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256