Configuring the root server with a custom CA
All certificates used in communications among BigFix Platform components are issued by Certificate Authorities (CAs) created by the Root Server.
- issue a certificate used by the Root Server to satisfy API requests (e.g. requests coming from the Console or from Web Reports)
- issue certificates used in internal communications involving Clients, Relays and Plugin Portal
- possibly issue certificates used by WebUI and Explorer to communicate with the Root Server.
Using the BigFix Administration tool command named setcustomca
, you can
install a custom CA in the BigFix Platform, and, later on, update the already stored
custom CA.
- a new certificate is created with the custom CA as issuer, and the Root Server is configured to use it to satisfy API requests (e.g. requests coming from the Console or from Web Reports)
- at its next registration, any client 11.0.4 will request and obtain from the Root Server a certificate issued by the custom CA
- clients of version 11.0.3 (or earlier) will keep on using their original certificates issued by the CA created by the Root Server
- relays 11.0.4 will still communicate with clients of earlier versions as they will store both certificate chains and will use the most appropriate one depending on the chain used by the connecting client.
To allow Web Reports to communicate with a Root Server configured with a custom CA, you need to copy the custom CA root certificate into the "CustomSSLCertificates" folder of Web Reports.
The custom CA can optionally be used to issue also all the certificates involved in the
communications between Root Server and WebUI, and between Root Server and Explorer. To
do this, after installing the custom CA, you need to run the BigFix Administration tool
commands named rotatewebuicredentials
and
rotateexplorercredentials
with the rotateCA
option.
For more details about the setcustomca
,
rotatewebuicredentials
and
rotateexplorercredentials
commands, see BESAdmin Windows Command Line and BESAdmin Linux Command Line.