Regenerating self-signed certificates

BigFix Inventory allows you to regenerate self-signed certificate by setting the Common Name using BigFix Inventory server.

This option is possible if the same DNS name is used to connect to the server by end users and from BigFix Platform server.

To create a self-signed certificate with multiple subjects, the certificate must be created manually.

To regenerate self-signed certificates, follow these steps:
  1. BigFix Platform - Check the existing Catalog Download action and the URL used to connect to the BFI server. It depends on the network configuration on the BigFix Inventory server host.
  2. BigFix Inventory - Follow the procedure mentioned in Step 3: Enabling secure communication.

    Ensure that the Common name is specified with the host name or IP address depending on the method you are connecting to the BigFix Inventory server.

  3. BigFix Inventory - If the selected DNS Name is different from the one currently used in Catalog Download, adjust it to match the one you use in Certificate by enforcing using DNS Name is Catalog For more information on how to download, refer to Configuring servers in separate networks.
  4. BigFix Inventory - In the Certificate section, follow Management > Server Settings and use the Download Certificate option to download the certificate.
  5. BigFix Platform - On BigFix Platform server it is needed to make a copy of ca-bundle.crt from <BES Server>\BESReportsServer\wwwroot\SiteData\<Host name> \Sites\BES Support to for example, C:\Program Files (x86)\BigFix Enterprise\BES Server\TrustedCertificates\ca-bundle.crt.
  6. BigFix Platform - Edit the file and add it at the end your certificate

  7. BigFix Platform - Set the _BESRelay_Download_UntrustedSites to 0 and set _BESRelay_Download_CACertPath to C:\Program Files (x86)\BigFix Enterprise\BES Server\TrustedCertificates\ca-bundle.crt.

Troubleshooting

For the error messages:
HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL: 
unable to obtain common name from peer certificate
The certificate used by BigFix Inventory is self-signed certificated preconfigured or regenerated without specifying the Common Name. Follow the steps mentioned above.
HTTP Error 60: SSL peer certificate or SSH remote key was not OK: SSL: 
certificate subject name 'bfi.acme.com ' does not match target host name '10.XXX.YYY.ZZZ

It means that the Catalog Download action used DNS Name / IP Address that is different from the one specified as Common Name in the certificate. For more information, refer to, step 3.