Cool Solutions

ZENworks – Managing Expired Certificates



By:

March 14, 2011 11:13 am

Reads: 10057

Comments:3

Score:0

Since ZCM 10.3.1 and ZCM 11.0, the way in which ZENworks can deal with expiring externally-signed Primary Certificates has greatly improved.

Introduction to Certificates in ZENworks

The ZENworks agent checks-in to a ZENworks ZONE using the HTTPS protocol and therefore a handshake process is required to establish a secure communication. This handshake is achieved by the agent firstly trusting the chosen CA and secondly having a local cache of each Primary Server’s cert. Agent communication in this manner allows for very flexible infrastructure choices and permits certain freedoms to the administrator, such as the ability to very easily manage devices outside of the firewall.

ZENworks Configuration Management provides the choice of using an external Certificate Authority (CA) or an internal ZENworks CA. If an internal CA is chosen, the ZENworks CA is created during the installation of the first ZENworks Primary Server and is used throughout the life of that ZENworks Management Zone.

When using the internal CA, as each subsequent Primary Server is installed, its certificate is signed by the ZENworks CA. The current lifespan of the internal certificate is ten years. When using an external CA, each Primary Server installation requires a signed certificate to be provided by the Administrator. The first Primary Server also requires the CA’s public certificate.

The CA’s certificate is distributed to all managed devices as part of the ZENworks Adaptive Agent installation. This lets each Adaptive Agent connect to any Primary Server because each server’s certificate is signed by the now trusted CA. Each Primary Server’s certificate is automatically distributed to every Managed Device as part of the configuration refresh.

As the expiry period for Primary Server certificates signed by the internal CA is 10 years, the issue of expiration is something that we do not need to deal with in the immediate future. However, when using an external CA the expiration is often 1 or 2 years for the Primary Server certificates. If a Primary Server certificate expires, agent communication with that Primary Server will not occur.

How to address expiring certificates

In order to address this issue ZENworks has the capability of allowing new Primary Server certificates (that have been signed by an external CA) to be imported into the Zone, and then automatically distributed to all Managed Devices as part of the standard configuration refresh.

To add a new Primary Server certificate use the following command:

zman server-add-certificate

This command should be used before the existing certificate expires. Once the Administrator is satisfied that every Managed Device has received the updated certificates via the configuration refresh, the following command needs to be run at the backend to instruct the Primary Servers to use the new certificate when establishing an SSL connection with a Managed Device:

novell-zenworks-configure -c SSL -Z

To try and make sure we never get to the point where by a server’s cert expires, the ZENworks Control Center will automatically inform the Administrator from 90 days before the certificate is going to expire.

Finally, in the event the Certificate Authority itself is going to expire, or the new certificates were signed by a new CA, the new CA’s certificate needs to be installed into the trusted root store of each Managed Device. To achieve this, the following steps need to be automated with a ZENworks Bundle and be executed on each agent before the CA certificate expires:

1. Copy the new CA certificate to the device
2. Import the new CA certificate using the following command:

zac cert-info

Most customers I speak to use the ZENworks CA, but there are some customers out there are either using certs signed by authorities such as VeriSign and Thawte, and more commonly customers are using their own internal Certificate Authority to maintain standards. We hope these options make your lives a little easier..

VN:D [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Technical, ZENworks Configuration Management

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

3 Comments

  1. By:maguirre

    This info is great, but what about when the certificates are already expired??

    What are the steps to import new valid certificates and distribute among servers and workstations?

    Regards,

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • By:aphilp

      That was touched on, although only in a single sentence
      [snip]
      If a Primary Server certificate expires, agent communication with that Primary Server will not occur.
      [/snip]

      If cert(s) have already expired, you are in a world of pain as managed devices will not check-in. You will need to manage the certificate delivery process outside of ZENworks. This is why the ZCC nags the administrator from 90 days before expiry.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  2. By:peterhine

    “Once the Administrator is satisfied that every Managed Device has received the updated certificates via the configuration refresh”

    by what magic will we know that the cert/ca is now out and about.

    this is where an actual gui procedure would be best. it could tell you how far and wide the certificate has gone.

    unless …

    there is a zman command ……

    peter

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Comment

RSS