Configuring the root server with a custom CA

All certificates used in communications among BigFix Platform components are issued by Certificate Authorities (CAs) created by the Root Server.

Starting from BigFix Platform Version 11.0.4, a new feature allows you to configure the Root Server with a custom CA to be used to:
  • issue a certificate used by the Root Server to satisfy API requests (e.g. requests coming from the Console or from Web Reports)
  • issue certificates used in internal communications involving Clients, Relays and Plugin Portal
  • possibly issue certificates used by WebUI and Explorer to communicate with the Root Server.

Using the BigFix Administration tool command named setcustomca, you can install a custom CA in the BigFix Platform, and, later on, update the already stored custom CA.

After installing a custom CA in the BigFix Platform, the following happens:
  • a new certificate is created with the custom CA as issuer, and the Root Server is configured to use it to satisfy API requests (e.g. requests coming from the Console or from Web Reports)
  • at its next registration, any client 11.0.4 will request and obtain from the Root Server a certificate issued by the custom CA
  • clients of version 11.0.3 (or earlier) will keep on using their original certificates issued by the CA created by the Root Server
  • relays 11.0.4 will still communicate with clients of earlier versions as they will store both certificate chains and will use the most appropriate one depending on the chain used by the connecting client.

To allow Web Reports to communicate with a Root Server configured with a custom CA, you need to copy the custom CA root certificate into the "CustomSSLCertificates" folder of Web Reports.

The custom CA can optionally be used to issue also all the certificates involved in the communications between Root Server and WebUI, and between Root Server and Explorer. To do this, after installing the custom CA, you need to run the BigFix Administration tool commands named rotatewebuicredentials and rotateexplorercredentials with the rotateCA option.

For more details about the setcustomca, rotatewebuicredentials and rotateexplorercredentials commands, see BESAdmin Windows Command Line and BESAdmin Linux Command Line.