1.3 Managing the Server Certificates

The ZENworks Server SSL Certificates pane in ZCC enables you to view information about the SSL certificates that are issued to the ZENworks Primary Servers and Authentication Satellite Servers in the zone. Using this panel, you can view and remint certificates for one or more devices. The information that is displayed includes the following:

  • Issued To: The server to which the certificate is issued. Click the server to view its details.

  • Subject: The Fully Qualified Domain Name (FQDN) of the server to which the certificate is issued.

  • Issued By: The CA that issued the certificate.

  • Valid From - The date and time, in the user’s time zone, from which the certificate is valid.

  • Expires On: The date and time, in the user’s time zone, on which the certificate expires.

  • MD5 Fingerprint: The MD5 digest of the certificate data.

  • SHA1 Fingerprint: The SHA1 digest of the certificate data.

  • Certificate Status: Shows the status of the current certificate as active or expired. If a remint is in progress, the certificate-creation status is displayed. For more information, see Certificate Status.

  • Options: Provides options to view the future certificate and download the CSR based on the remint operation that is in progress.

  • Update Status: If a remint operation is in progress, the status of the associated system update is displayed.

  • Version: The version of ZENworks installed on the servers.

For information on the Change CA or Remint CA process, see Configuring the Certificate Authority.

NOTE:From ZENworks 2020 Update 3 onwards, during CA remint, after the certificate update is created, it will be immediately assigned to devices automatically.

This section provides the following information:

1.3.1 Certificate Status

When a server certificate remint is in progress, the certificate status can be any of the following:

For Internal Certificates:

  • New certificate created - The future certificate is available.

  • Creating certificate failed - An error occurred while creating the future certificate.

For External Certificates:

  • CSR generated - The Certificate Signing Request (CSR) is generated for the future certificate. This status indicates that CSR is generated for the corresponding server and the administrator has to download the CSR using the download button and then get it signed by the external certificate authority. After receiving the new server certificate that corresponds with the CSR the administrator should import the certificate using ZENworks Control Center.

  • CSR generation Failed - An error occurred while generating the CSR. In such a scenario, the administrator can manually select the server for which the CSR generation has failed and generate the CSR again, after correcting the reasons for failure, if any or redeploy the system update for the device.

  • New certificate uploaded - The future certificate has been imported in to the database.

1.3.2 Reminting Server Certificates

If your server certificate expires, devices will be unable to establish an SSL connection to the server. It is important that before this occurs, you renew or remint the certificate and distribute this certificate to your managed devices.

NOTE:The following are the acceptable formats for Root certificate and Server certificate with Private Key:

  • Root certificate: The top-level certificate in the certificate tree issued by the CA that signed the Server certificate and any intermediate certificate chains. It supports the .pem, .crt, .cer, .der, .p7b, or .p7c file format.

  • Server certificate:It is a signed certificate that is used for the ZENworks server. It supports the .pem, .crt, .cer, .der, .p7b, or .p7c file format.

  • Private key: The private key file that is associated with the signed server certificate. It supports the .der file format.

You can convert your certificate or key to ZENworks acceptable formats using the openssl command line tool (available as part of most Linux distributions or as part of the cygwin tool set).

For example, convert your EPM encoded private key to DER encoded thusly:

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

EPM encoded certificate to DER encoded thusly:

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

The procedure detailed in this section is the same for a zone with one or more Primary Servers.

If a server certificate has already expired, then a dialog box with the following error message is displayed:

"The following certificates are about to expire or have expired. You should update the certificates as soon as possible to avoid a loss of communication between devices and services. 
<Name of the certificate> server certificate has expired".

For more information on reminting an expired server certificate, see A server certificate has expired in the Troubleshooting section.

Remint Server Certificates When the CA Is Internal

To renew or remint the internal server certificates, select one or more servers, then click Remint Certificate.

NOTE:Based on the operation(s) initiated from the Certificates page, the Remint Certificate option might not be enabled until these operations are complete. For example, when a Remint CA or Change CA is in progress, this option will not be available.

  1. Confirm that you want to remint the certificate by selecting Yes, I want to remint the certificate for this server. The remaining fields are then activated.

  2. Specify the Common name for the certificate.

    By default, the Fully Qualified Domain Name (FQDN) of the server is displayed. If you have selected multiple servers, or if the selected server has associated satellites, this field will not be displayed.

  3. Specify the Key length.

  4. Select Include any additional DNS names for each server, if you want the additional DNS names configured for the servers to be part of the Subject Alternative Name of their respective certificates.

    NOTE:If you selected a single server, the additional DNS names configured for this server are displayed. However, if there are no additional DNS names configured for the server, you cannot select this option. The additional DNS names for the device can be configured by selecting the Settings tab of the device.

  5. Specify the Certificate activation date and time.

    You can select any date that is prior to the expiration of the current CA. Ensure that you include adequate time for the associated system update to be applied on all the devices.

  6. Specify a name for the system update that will be created to remint the certificate.

  7. Click OK.

    A message is displayed in the ZENworks SSL Certificates pane, indicating that the Remint Certificate operation has been initiated. As part of the Remint Certificate process, ZENworks will create a system update, the content of which will be replicated to all the Primary Servers and Content Satellite Servers in the zone, based on the configured content replication schedule. You can click the current replication status link to view the list of servers along with their respective content replication statuses.

    At any time before the auto assignment happens, you can assign the system update manually by clicking the Assign Now link. The system update will get assigned to the selected devices. For successful completion, we recommend that you ensure that the content is available on the content servers before assigning the system update. After clicking the Assign Now link, a warning message is displayed, with a selected servers link, when you click on this link, it will display a popup message with a list of the servers for which the remint has been initiated.

    NOTE:If the system update fails because the content is not available, you need to redeploy the system update on the failed devices.

    The system update status for the targeted servers can be viewed in the ZENworks Server SSL Certificate panel. The future certificate for these servers can be viewed from the Options column.

    NOTE:It is not mandatory for mobile devices to sync with the server before the MDM Server certificate is activated.

Remint Server Certificates When the CA Is External

To remint server certificates when the CA is external, you need to first deploy the Remint system update to the device, then allow ZENworks to generate the CSR, or manually generate the CSR. If you choose to manually generate the CSR, you will need to generate the CSR and then import the certificate to the device.

When you remint the server certificate, you need to get the server certificate issued by the current zone CA (root CA) or any subordinate CA of the current zone CA. If the certificate is issued by a subordinate CA, you need to provide the complete certificate chain.

This section includes the following information:

Reminting the Server Certificate

  1. To renew or remint the external server certificates, select one or more servers, then click Remint Certificate.

    NOTE:If you plan to use the server as an MDM server, to ensure communication with iOS and Mac devices, you need to ensure that the issued certificate meets the following criteria:

    • Validity of the certificate does not exceed 2 years.

    • Key Size should be greater than or equal to 2048 bits

    • Signature hash algorithm should be from the SHA-2 family

    • Alternate DNS name is specified in the certificate.

    • EKU (Extended Key Usage) value is specified as Server Authentication.

  2. Select how you want to generate the CSR for each server:

    • I will generate a CSR for each server manually: If you want to generate the CSR for each server manually, click Next and go to Step 3.

      NOTE:If you want to use external wildcard certificates for any of the Primary Servers, then you need to use this option and generate the CSR using any external tool such as Open SSL. ZENworks does not support the generation of CSR for wildcard certificates. For more information on generating CSR, see Generating a Certificate Signing Request (CSR).

    • Let ZENworks generate a CSR automatically for each server: If you want ZENworks to generate the CSR for all the servers automatically, specify the following information, then click Next:

      • Common name: The Fully Qualified Domain Name (FQDN) of the server. If you have selected multiple servers, this field will not be displayed.

      • Organization: Organization name

      • Organization unit: Organizational unit name, such as a department or division.

      • City/Locality - City name or location

      • State/Province: State or province name

      • Country/region: Country or region. For example, US.

      • Key Length: Specify the key length

      • Include any additional DNS names for each server: Select this option if you want the additional DNS names configured for the servers to be part of the Subject Alternative Name of their respective certificates.

        NOTE:The additional DNS names for a device can be configured by selecting the Settings tab of the device.

  3. Specify the Certificate activation date and time.

    You can select any date that is prior to the expiration of the server that has the earliest expiration date among the selected servers. Ensure that you include adequate time for the associated system update to be applied on all of the devices.

  4. Specify a name for the system update that will be created to remint the certificate.

  5. Click Finish.

    A message is displayed in the ZENworks SSL Certificates pane, indicating that the Remint Certificate operation has been initiated. As part of the Remint Certificate process, ZENworks will create a system update which will be replicated to all the Primary Servers and Content Satellite Servers in the zone, based on the configured content replication schedule. You can click the current replication status link to view the list of servers along with their respective content replication statuses. After the replication is complete, the system update will be automatically assigned to the selected devices. The CRT will be created on the server on which the remint operation was initiated. On other Primary Servers, it will be created only after the SU is assigned, to ensure that the content is replicated.

    At any time before the auto assignment happens, you can assign the system update manually by clicking the Assign Now link. The system update will get assigned to the selected devices. For successful completion, we recommend that you ensure that the content is available on the content servers before assigning the system update. After clicking the Assign Now link, a warning message is displayed, with a selected servers link, when you click on this link, it will display a popup message with a list of the servers for which the remint has been initiated.

    NOTE:If the system update fails because the content is not available, you need to redeploy the system update on the failed devices.

    The system update status for the targeted servers can be viewed in the ZENworks Server SSL Certificate panel. The Options column will enable you to download the CSRs, if any, and also view the future certificates.

    NOTE:It is not mandatory for mobile devices to sync with the server before the MDM Server certificate is activated.

  6. If you selected the I will generate a CSR for each server manually option in Step 2, you need to generate the certificates for the Primary Servers and Authentication Satellite Servers manually. The certificate (complete certificate chain) and private key must then be placed in the remint repository folder on each of these servers.

    • On Windows: %zenworks_home%\remint-repo

    • On Linux: /opt/novell/zenworks/remint-repo

    The file name has to be server and the extension can have the .der, .cer, .crt, .p7b, .pem, .cert extensions.

    The certificate can be der or pem encoded. The private key file name should be key.der and it must be a der type file, not a pem type.

    If you selected the Let ZENworks generate a CSR automatically for each server option, you have to download the CSRs for each of the servers, get them signed by the CA, and then import the future certificates using the Import Certificate action. The CSRs are only available for download after the system update runs on the Primary Servers. This might take a while depending on the ZeUS refresh interval or because the process does not begin right after the CSR generation task is finished in ZCC for one or more Primary Servers. Hence, you need to wait until the CSRs are ready for download.

    NOTE:

    • The Generate CSR action can be used in the following scenarios:

      • You selected the I will generate a CSR for each server manually option in Step 2, but you want to use ZENworks to generate CSRs for one or more devices. In this case, you will need to import the certificate for the device using the Import Certificate action.

      • You selected the Let ZENworks generate a CSR automatically for each server option in Step 2, but you want to override the CSR for one or more devices. You can use the newly generated CSR to request the future certificate from the CA.

      To generate CSRs, select one or more servers, then click Generate CSR from the Actions menu. For more information, see Generating the CSR.

    • The subject in the certificate should be the Fully Qualified Domain Name (FQDN) of the server in which we install the ZENworks server. Supported formats are .der, .cer, .crt, .p7b, .pem, .cert.

      The private key format can either be in Binary or Base64.

      The certificate can be der or pem encoded. The private key file name should be key.der. It must be a der type file, not a pem type. For more information, see the convert the PEM file to DER file section in Appliance Deployment.

Based on the operation(s) initiated from the Certificates page, the Remint Certificate option might not be enabled until these operations are complete.

After a remint has been initiated, the following Actions are enabled:

  • Generate CSR: If you have selected the I will generate a CSR for each server manually option, you can use this action to generate the CSR. However, if you have selected the Let ZENworks generate a CSR automatically for each server option, you can use this action to override the CSR that was generated by ZENworks. To generate the CSR, select one or more servers, then click Generate CSR from the Actions menu. For more information, see Generating the CSR.

  • Import Certificate: This option is available after a CSR has been generated for the selected server. After the CSR is submitted to the CA and the CA issues a new certificate, you can import the certificate to ZENworks using this action. To import the certificate, select the relevant server, then click Import Certificate from the Actions menu. For more information, see Importing the Certificate.

  • Download CSRs to Zip File: This option is available if multiple servers are selected and CSRs are available for each of these servers. To download the CSRs, select the required servers, then click Download CSRs to Zip File from the Actions menu.

Generating the CSR

This feature enables you to generate Certificate Signing Requests (CSRs) for one or more devices.

When moving to an external CA, a CSR must be generated for each Primary Server or Satellite Server in the Zone. You can generate a CSR automatically for all servers in the zone, or you can generate it manually for each server, one at a time.

The Generate CSR action can be used in the following scenarios:

  • You have selected the I will generate a CSR for each server manually option, but you want to use ZENworks to generate CSRs for one or more devices. In this case, you will need to import the certificate for the device using the Import Certificate action.

  • You have selected the Let ZENworks generate a CSR automatically for each server option in Step 1, but you want to override the CSR for one or more devices. You can use the newly generated CSR to request for the future certificate from the CA.

To generate a CSR:

  1. Log into ZENworks Control Center.

  2. Navigate to Configuration > Certificates.

  3. From the ZENworks Server SSL Certificates pane, select one or more servers.

  4. Click Actions > Generate CSR.

  5. Specify the following information:

    • Common Name (CN): The Fully Qualified Domain Name of the ZENworks Primary Server. For example, mail.novell.com. If you have selected multiple servers, this field will not be displayed.

      NOTE:This field is not displayed when multiple servers are selected.

    • Organization (O): Organization name.

    • Organizational Unit (OU): Organizational unit name, such as a department or division.

    • City or Locality (L): City name or location.

    • State or Province (ST): State or province name.

    • Country or Region: Two-letter country code or region. For example, US.

    • Key length: Specify the required key length.

  6. Click OK.

    The CSR is generated and the status of the server is changed to reflect that the CSR is now available to download.

    NOTE:Based on the availability of the servers, it might take a few minutes for the CSR Download option to be enabled.

Importing the Certificate

This feature enables you to import the certificates into ZENworks, after you get the CSR signed by the certificate authority (CA).

To import the certificate:

  1. Click Browse, then select the certificate.

  2. Click OK.

    The selected certificate is imported to the database.

    The supported certificate formats are .pem, .der, and .p7b.

IMPORTANT:Ensure that the managed devices are refreshed after all the Primary Servers’ future certificates are available in the database and also after the subject has been changed for any of the Primary Server certificates. If the devices are not refreshed, communication between the managed devices and the Primary Servers will break.

1.3.3 Canceling a Server Remint

When you initiate a server certificate remint, in the ZENworks SSL Certificates pane, a message is displayed indicating that the Remint Certificate operation has been initiated. This message includes a Cancel button. To cancel a server remint:

  1. Click the Cancel button. A dialog is displayed asking you to confirm that you want to cancel the operation.

  2. After you confirm, a message is displayed indicating the progress of the cancel operation. If the cancel is successful, all the buttons in the Zone Certificate Authority pane are enabled. If the cancel operation fails, a failure message is displayed. You can clear the message and try the Cancel operation again.

    The Remint Server Certificate operation is canceled successfully. The Cancel button will be disabled ten minutes before the activation time. Though you cannot cancel the Server Remint, you can cancel the system-update for the device using the Ignore Device option from System Update page.