Since ZCM 10.3.1 and ZCM 11.0, the way in which ZENworks can deal with expiring externally-signed Primary Certificates has greatly improved.
Introduction to Certificates in ZENworks
The ZENworks agent checks-in to a ZENworks ZONE using the HTTPS protocol and therefore a handshake process is required to establish a secure communication. This handshake is achieved by the agent firstly trusting the chosen CA and secondly having a local cache of each Primary Server’s cert. Agent communication in this manner allows for very flexible infrastructure choices and permits certain freedoms to the administrator, such as the ability to very easily manage devices outside of the firewall.
ZENworks Configuration Management provides the choice of using an external Certificate Authority (CA) or an internal ZENworks CA. If an internal CA is chosen, the ZENworks CA is created during the installation of the first ZENworks Primary Server and is used throughout the life of that ZENworks Management Zone.
When using the internal CA, as each subsequent Primary Server is installed, its certificate is signed by the ZENworks CA. The current lifespan of the internal certificate is ten years. When using an external CA, each Primary Server installation requires a signed certificate to be provided by the Administrator. The first Primary Server also requires the CA’s public certificate.
The CA’s certificate is distributed to all managed devices as part of the ZENworks Adaptive Agent installation. This lets each Adaptive Agent connect to any Primary Server because each server’s certificate is signed by the now trusted CA. Each Primary Server’s certificate is automatically distributed to every Managed Device as part of the configuration refresh.
As the expiry period for Primary Server certificates signed by the internal CA is 10 years, the issue of expiration is something that we do not need to deal with in the immediate future. However, when using an external CA the expiration is often 1 or 2 years for the Primary Server certificates. If a Primary Server certificate expires, agent communication with that Primary Server will not occur.
How to address expiring certificates
In order to address this issue ZENworks has the capability of allowing new Primary Server certificates (that have been signed by an external CA) to be imported into the Zone, and then automatically distributed to all Managed Devices as part of the standard configuration refresh.
To add a new Primary Server certificate use the following command:
This command should be used before the existing certificate expires. Once the Administrator is satisfied that every Managed Device has received the updated certificates via the configuration refresh, the following command needs to be run at the backend to instruct the Primary Servers to use the new certificate when establishing an SSL connection with a Managed Device:
novell-zenworks-configure -c SSL -Z
To try and make sure we never get to the point where by a server’s cert expires, the ZENworks Control Center will automatically inform the Administrator from 90 days before the certificate is going to expire.
Finally, in the event the Certificate Authority itself is going to expire, or the new certificates were signed by a new CA, the new CA’s certificate needs to be installed into the trusted root store of each Managed Device. To achieve this, the following steps need to be automated with a ZENworks Bundle and be executed on each agent before the CA certificate expires:
1. Copy the new CA certificate to the device
2. Import the new CA certificate using the following command:
Most customers I speak to use the ZENworks CA, but there are some customers out there are either using certs signed by authorities such as VeriSign and Thawte, and more commonly customers are using their own internal Certificate Authority to maintain standards. We hope these options make your lives a little easier..