4.0 Creating an External Certificate

ZENworks Primary Servers communicate with ZENworks managed devices using the HTTPS protocol. This secure communication requires that the ZENworks Management Zone have a defined Certificate Authority (CA) and that each Primary Server have its own server certificate issued by the zone's CA.

ZENworks includes an internal ZENworks CA. If you use the internal ZENworks CA, it is created during installation of the first Primary Server. Each subsequent Primary Server you install is issued a certificate signed by the ZENworks CA.

We recommend that you use the internal ZENworks CA unless your corporate security policies do not allow you to do so. The internal ZENworks CA lasts 10 years and simplifies use of various ZENworks features such as Remote Management.

The following are the acceptable formats for Root certificate and Server certificate with Private Key:

  • Root certificate: The top-level certificate in the certificate tree issued by the CA that signed the Server certificate and any intermediate certificate chains. It supports the .pem, .crt, .cer, .der, .p7b, or .p7c file format.

  • Server certificate:It is a signed certificate that is used for the ZENworks server. It supports the .pem, .crt, .cer, .der, .p7b, or .p7c file format.

  • Private key: The private key file that is associated with the signed server certificate. It supports the .der file format.

You can convert your certificate or key to ZENworks acceptable formats using the openssl command line tool (available as part of most Linux distributions or as part of the cygwin tool set).

For example, convert your PEM encoded private key to DER encoded thusly:

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out key.der -outform DER

PEM encoded certificate to DER encoded thusly:

openssl x509 -in cert.pem -inform PEM -out cert.der -outform DER

NOTE:

  • If it is an intermediate CA, you need to provide the complete chain. ZENworks will use the root CA in the chain as the future CA. The top-level should consist of a root certificate, which is signed by the Root CA, followed by the intermediate certificates, and then the Leaf certificate (server certificate).

  • If it is an intermediate CA, you need to provide the complete chain. ZENworks will use the root CA in the chain as the future CA. The chain should begin with the server certificate, the intermediate or subordinate certificate authority and then root ca.

  • The supported certificate formats are .der, .cer, .crt, .p7b, .pem, .cert

  • If you plan to configure Kafka or Vertica in your zone, then ensure that two-way SSL is enabled for the server certificate issued by an external CA. For more information on Kafka or Vertica, see ZENworks Vertica Guide.

See the following sections for detailed instructions on using external certificates: