How to update the Linux/Unix pinned certificate associated with the FlexNet Inventory Agent
Please verify this is correct and feel free to promote this to a KB if so.
You are utilizing certificates with your FlexNet Manager Suite implementation and encrypting the traffic between your deployed FlexNet Inventory Agents and your FlexNet Beacon servers (traffic over port 443). When the issued certificate expires, the pinned certificate you included in your FlexNet Inventory Agent deployment package to Linux/Unix systems (mgsft_rollout_cert) needs to be updated on every Linux/Unix system (there is no self updating mechanism).
Update Method #1
Update your mgsft_rollout_cert certificate file with the updated certificate Base64 export (if purchasing external Certificate Authority certs, include the Trusted Root and Intermediate certificates). Reinstall the agent including the updated certificate file mgsft_rollout_cert.
Update Method #2
Update your mgsft_rollout_cert certificate file with the updated certificate Base64 export(if purchasing external Certificate Authority certs, include the Trusted Root and Intermediate certificates). Make a copy of it and rename it cert.pem. On each Linux/Unix system, replace /var/opt/managesoft/etc/ssl/cert.pem with the updated cert.pem.
I wanted to make sure this got on the forum in case others were looking for a way to update FlexNet Inventory Agent certificates without a complete agent reinstall.
Thanks for taking the time to write this up @kyle_wolff! These options look generally good to me, although I think the references to mgsft_rollout_response should instead be mgsft_rollout_cert.
For reference, here are a couple of other pages which talk about working with certificate configuration files for the FlexNet inventory agent on UNIX:
- Agent third-party deployment: Installing FlexNet inventory agent on UNIX, which includes the following tip:
[...] after installation you can simply copy the completed certificate to /var/opt/managesoft/etc/ssl/cert.pem on a device where FlexNet inventory agent is locally installed.
- Agent third-party deployment: HTTPS CA Certificate File Format (UNIX), which includes an example command line illustrating how to produce a base-64 encoded certificate .pem file using the openssl tool.