Summary

Synopsis

Discussion

The following steps should allow the configuration of trusted certificates for use with the above managed devices:

- Obtain a copy of all root Certificate Authority (CA) certificates

that are used by your HTTPS web servers. For most organisations, this

will be a single certificate. The certificate should be saved using

the PEM format.

- The PEM format certificates should be base-64 encoded plain text

surrounded by a "BEGIN CERTIFICATE" header and an "END CERTIFICATE"

footer. That is for example:

-----BEGIN CERTIFICATE-----

MIIDiTCCAnGgAwIBAgIQWO/IibrLpZ5Hts3u3xH7TzANBgkqhkiG9w0BAQUFADAR

MQ8wDQYDVQQDEwZ0ZncyazMwHhcNMTAxMTI1MDEyMDM4WhcNMTUxMTI1MDEyODA1

......

wXvMSERKsNsJ6FwwXFGA3HBrRLTHzqzsfUlUAbV+SBm/FSFkuWsy4QWAuJCbnCnv

c3ClFHXqwaIq9UWvO5FR5kD4gK9LZOUY4B7tLTQmpJScFSiPZrIBa1cQ5uWl

-----END CERTIFICATE-----

- The collection of one or more root CA certificates should be concatenated

together into a single file.

- Copy this root CA certificate file as "/var/tmp/mgsft_rollout_cert" before

installing the Managed Devices client.

- During installation of the client, the "/var/tmp/mgsft_rollout_cert" file

will be copied to "/var/opt/managesoft/etc/ssl/cert.pem".

- If the Managed Devices client is already installed, then the certificate

file may be directly copied to "/var/opt/managesoft/etc/ssl/cert.pem".

- Ensure that all CA certificates within a certificate chain up to the

root CA include a reference to a downloadable Certificate Revocation

List (CRL). The reference to the CRL must be described using the X509v3

extensions "X509v3 CRL Distribution Points". The CRL must be downloadable

using the HTTP protocol and must be in DER format (a binary file).

Additional configuration options:

CheckServerCertificate - Check the server certificate's existence, name,

validity period, and issuance by a trusted certificate authority (CA).

This can be configured using "MGSFT_HTTPS_CHECKSERVERCERTIFICATE" with

"true" or "false" in the mgsft_rollout_response file.

This setting lives under the [ManageSoft\Common] section as

CheckServerCertificate in "/var/opt/managesoft/etc/config.ini".

CheckCertificateRevocation - Additionally check that the server certificate

has not been revoked. Already supported on Windows.

This can be configured using "MGSFT_HTTPS_CHECKCERTIFICATEREVOCATION"

with "true" or "false" in the mgsft_rollout_response file.

This setting lives under the [ManageSoft\Common] section as

CheckCertificateRevocation in "/var/opt/managesoft/etc/config.ini".

Additional Information

Additional information on the configuring SSL certificates for Windows and other Managed Devices can be found in the Preferences for Managed Devices Guide.