The following steps should allow the configuration of trusted certificates for use with the above managed devices:
- Obtain a copy of all root Certificate Authority (CA) certificates
that are used by your HTTPS web servers. For most organisations, this
will be a single certificate. The certificate should be saved using
the PEM format.
- The PEM format certificates should be base-64 encoded plain text
surrounded by a "BEGIN CERTIFICATE" header and an "END CERTIFICATE"
footer. That is for example:
-----BEGIN CERTIFICATE-----
MIIDiTCCAnGgAwIBAgIQWO/IibrLpZ5Hts3u3xH7TzANBgkqhkiG9w0BAQUFADAR
MQ8wDQYDVQQDEwZ0ZncyazMwHhcNMTAxMTI1MDEyMDM4WhcNMTUxMTI1MDEyODA1
......
wXvMSERKsNsJ6FwwXFGA3HBrRLTHzqzsfUlUAbV+SBm/FSFkuWsy4QWAuJCbnCnv
c3ClFHXqwaIq9UWvO5FR5kD4gK9LZOUY4B7tLTQmpJScFSiPZrIBa1cQ5uWl
-----END CERTIFICATE-----
- The collection of one or more root CA certificates should be concatenated
together into a single file.
- Copy this root CA certificate file as "/var/tmp/mgsft_rollout_cert" before
installing the Managed Devices client.
- During installation of the client, the "/var/tmp/mgsft_rollout_cert" file
will be copied to "/var/opt/managesoft/etc/ssl/cert.pem".
- If the Managed Devices client is already installed, then the certificate
file may be directly copied to "/var/opt/managesoft/etc/ssl/cert.pem".
- Ensure that all CA certificates within a certificate chain up to the
root CA include a reference to a downloadable Certificate Revocation
List (CRL). The reference to the CRL must be described using the X509v3
extensions "X509v3 CRL Distribution Points". The CRL must be downloadable
using the HTTP protocol and must be in DER format (a binary file).
Additional configuration options:
CheckServerCertificate - Check the server certificate's existence, name,
validity period, and issuance by a trusted certificate authority (CA).
This can be configured using "MGSFT_HTTPS_CHECKSERVERCERTIFICATE" with
"true" or "false" in the mgsft_rollout_response file.
This setting lives under the [ManageSoft\Common] section as
CheckServerCertificate in "/var/opt/managesoft/etc/config.ini".
CheckCertificateRevocation - Additionally check that the server certificate
has not been revoked. Already supported on Windows.
This can be configured using "MGSFT_HTTPS_CHECKCERTIFICATEREVOCATION"
with "true" or "false" in the mgsft_rollout_response file.
This setting lives under the [ManageSoft\Common] section as
CheckCertificateRevocation in "/var/opt/managesoft/etc/config.ini".
Additional information on the configuring SSL certificates for Windows and other Managed Devices can be found in the Preferences for Managed Devices Guide.
Mar 08, 2013 04:57 AM