Your certificate signing request (CSR) must be signed by
a certificate authority (CA) to be transformed into a certificate
that can be uploaded to BigFix Inventory.
You can use the openSSL cryptographic library to create a private
CA and sign your request.
Before you begin
Using a private CA to sign your request is not the only
way. You can also send the request to internationally trusted CAs,
such as Entrust, VeriSign, and so on, or use the CA of your organization.
The certificates of these CAs are often trusted by default and do
not display any warnings in the browser. Warnings might be displayed
if you use a private CA.
Procedure
- Create a private certificate authority (CA) and a certificate
for it.
- Create a private CA. This step creates a private key
(.key) and a request (.csr)
similar to those that you created in Creating
private keys and certificates.
openssl req -new -newkey rsa:key_strength -nodes
-out CA_csr_name.csr -keyout CA_key_name.key -sha256
For
example,
openssl req -new -newkey rsa:2048 -nodes -out CA_CSR.csr
-keyout CA_private_key.key -sha256Where:
- key_strength
- Key strength, measured in bits. The maximum value that you can
use for BigFix Inventory is
2048 bits.
- CA_csr_name
- File name for the certificate signing request (CSR). The certificate
authority (CA) requires a separate request.
- CA_key_name
- File name for the private key. The certificate authority (CA)
requires a separate private key.
- Create a certificate for your private CA. This step
creates a certificate (.arm) that you can use
to sign your CSR.
openssl x509 -signkey path_to_CA_key.key -days
number_of_days -req -in path_to_CA_csr.csr
-out CA_certificate_name.arm -sha256
For
example,
openssl x509 -signkey CA_private_key.key -days 90
-req -in CA_CSR.csr -out CA_certificate.arm -sha256Where:
- key_strength
- Key strength, measured in bits. The maximum value that you can
use for BigFix Inventory is
2048 bits.
- path_to_CA_csr
- File name for the certificate signing request (CSR) that you created
for the certificate authority (CA).
- path_to_CA_key
- File name for the private key that you created for the certificate
authority (CA).
- number_of_days
- Number of days for the new certificate to be valid.
- CA_certificate_name
- File name for the certificate of your CA. This certificate is
used to sign your CSR.
- Use the CA certificate to sign the certificate signing
request that you created in Creating
private keys and certificates.
openssl x509 -req -days number_of_days -in path_to_csr.csr -CA path_to_CA_certificate.arm
-CAkey path_to_CA_key.key -out new_certificate.arm -set_serial 01 -sha256
For
example,
openssl x509 -req -days 90 -in CSR.csr -CA CA_certificate.arm
-CAkey CA_private_key.key -out certificate.arm -set_serial 01 -sha256Where:
- number_of_days
- Number of days for the new certificate to be valid.
- path_to_csr
- Path to certificate signing request (CSR) that you want to sign.
- path_to_CA_certificate
- Path to certificate that you created for the certificate authority
(CA).
- path_to_CA_key
- Path to the private key that you created for the certificate authority
(CA).
- new_certificate
- File name for the new certificate that is created from your certificate
signing request (CSR). You upload this certificate together with your
private key to BigFix Inventory.
Results
You signed your certificate signing request and obtained a new certificate.
What to do next
Enable encrypted communication in BigFix Inventory and upload
your private key and the certificate. These files replace the self-signed certificate that is
already available in BigFix Inventory, and thus ensure secure
communication. For more information, see: Step 3: Enabling secure communication.