When you install ZENworks Configuration Management for the first time, you are prompted to either create an internal Certificate Authority (CA) or provide the appropriate certificate information for an external CA. Based on how the certificate authority is initially installed and configured for ZENworks, the Certificates page will display the active certificate authority (CA). The active CA can be either internal or external.
Internal Certificate Authority: Certificates are issued by a ZENworks server that is assigned the role of certificate authority.
External Certificate Authority: Certificates are issued by an external server. The external server certificate can be issued by a subordinate CA or a root CA. ZENworks supports the use of wildcard certificates.
This section provides information about the current Certificate Authority and it also provides information about the various operations that can be performed on the CA:
Internal certificates are issued by a ZENworks server that has the CA role. ZENworks enables you to perform the following operations for an Internal CA:
Move CA Role: When using an internal CA, the CA role is given to the first server that you have installed in the zone. This is listed as the Certificate Server. Using the Move Certificate Authority feature, you can move the CA role from one Primary Server to another Primary Server. For more information, see Section 1.2.6, Moving the CA Role.
Change CA: To change from an internal CA to another internal or external CA, or from an external CA to another external or internal CA. For more information, see Section 1.2.4, Changing the Certificate Authority.
Backup CA: To backup the certificate authority. For more information, see Section 1.2.7, Taking a Backup of the Certificate Authority.
Restore CA: To restore the backed up certificate authority. For more information, see Section 1.2.8, Restoring the Certificate Authority.
Remint CA: To remint the internal certificate authority. For more information, see Section 1.2.9, Reminting the Certificate Authority.
External certificates are issued by an external certificate authority (CA), for example, Verisign. Using ZENworks Control Center, you can change the current external CA to another external or internal CA. For more information, see Changing the Certificate Authority.
NOTE:It is recommended that you remint the certificate before it expires.
If you are using Vertica as the database, then to secure the Kafka cluster, ensure that two-way SSL is enabled.
To view the certificate details, in the Zone Certificate Authority pane of the Certificates page, click the View Certificate button, the following information is displayed:
Subject: The CA server to whom the certificate is issued.
Issued by: The CA that issued the certificate.
Valid from: The date and time from which the certificate is valid.
Expires: The date and time at which the certificate will expire.
Key length: The key length that was used to create the certificate.
MD5 Fingerprint: The MD5 digest of the certificate data.
SHA1 Fingerprint: The SHA1 digest of the certificate data.
Certificate Status: Indicates whether the certificate is valid or has expired.
This feature enables you to change the current certificate authority (CA) to another internal or external CA.
Using this feature, you can either change the existing external CA to an internal CA or you can change the existing internal CA to another internal CA.
When you change the CA, the Primary Server and Authentication Satellite Server certificates will get reminted automatically.
To change the CA to Internal:
In the Zone Certificate Authority pane, click the Change CA button.
In the Change Certificate Authority dialog box, confirm that you want to change the CA by selecting Yes, I want to change the certificate authority. The remaining fields are then activated.
From the drop-down list, select Change to internal certificate authority.
Specify the following information, and click Next:
Certificate server: Browse and select the Primary Server, which must be the new CA.
Subject: Specify a subject name for the CA. By default, the zone name is displayed.
Key Length: Specify the key length.
Valid for (years): Specify the number of years for which the certificate should be valid. Specify a value between 1 to 10.
Click Next.
Specify the Certificate activation date and time. As a part of certificate activation, the new certificates will be effective and from then onwards, the old certificates will not be used for communication between devices.
Select an appropriate certificate activation date. Three dates should be considered, the remint initiation date, the activation date, and the certificate expiry date. There should be enough time between the remint initiation date and the activation date to allow all the devices in the zone to apply the certificate remint system update. There should also be enough time between the activation date and the expiry date to facilitate troubleshooting of unexpected issues, if any.
For more information on certificate activation for mobile devices, see Additional Information on Remint CA and Change CA process for Mobile Devices.
IMPORTANT:Changing certificates in the zone is a critical process, and should be allowed plenty of time to ensure everything works right. If less time is allowed for the process to complete, there is a possibility that communication between the ZENworks agents and servers could be lost.
In such as scenario, you will need to run the standalone Certificate Remint Tool. This tool will be available for download on all the Primary Servers after the update is created and assigned, and it will be available in the following location: http://<ip of primary server>:<port>/zenworks-setup. The standalone Certificate Remint tool will not be available when the certificate update is baselined and deleted. Hence, you should download the tool in advance so that it is available when needed.
If the CA has already expired, the activation time will be labeled as Immediate and you need to run the Certificate Remint Tool on all the devices. On the new CA server, the Certificate Remint Tool will be launched automatically.
Click Finish.
A message is displayed in the Zone Certificate Authority pane indicating that the Change CA operation has been initiated. As part of the Change CA process, ZENworks will create a system update and the content of the system update will be replicated to all the Primary Servers and Content Satellite Servers in the zone, based on the configured content replication schedule. The CRT will be created on the new CA server. On other Primary Servers, it will be created only after the SU is assigned, to ensure that the content is replicated.You can click the current replication status link to view the list of servers along and their respective content replication statuses. After the replication is complete, the system update will be automatically assigned to all devices in the zone.At any time before the auto assignment happens, you can assign the system update manually by clicking the Assign Now link even though the content is not replicated to all content servers. The system update will get assigned to all devices in the zone. For successful completion, we recommend that you ensure the content is available on the content servers before assigning the system update.
If the system update fails because the content is not available, you need to redeploy the system update on the failed devices.
IMPORTANT:As soon as the SU is assigned, the CRT will run on the new CA server, automatically. You need to remint the certificate on that server first and then all other Primary Servers should be reminted and after that the other devices, in any order.
The system update status for the Primary Servers and Authentication Satellite Servers can be viewed in the ZENworks Server SSL Certificate panel. The future certificate for these servers can be viewed from the Options column. The system update status for the other devices can be tracked from the System Updates page.
Using this feature, you can change the existing internal CA to an external CA, renew the same external CA, or you can change the existing external CA to a new external CA.
NOTE:With the exception of generating CSR for the Primary Server as mentioned in Step 6, the procedure detailed in this section is the same for wildcard and non-wildcard certificates.
To change the existing CA to External:
In the Zone Certificate Authority pane, click the Change CA button.
In the Change Certificate Authority dialog box, confirm that you want to change the CA by selecting Yes, I want to change the certificate authority. The remaining fields are then activated.
From the drop-down list, select Change to external certificate authority.
Click Browse to select and upload the trusted root certificate provided by the external CA.
NOTE:
If it is an intermediate CA, you need to provide the complete chain. ZENworks will use the root CA in the chain as the future CA. The chain should begin with the server certificate, the intermediate or subordinate certificate authority and then root ca.
The supported certificate formats are .der, .cer, .crt, .p7b, .pem, .cert
IMPORTANT:To avoid or resolve this issue when changing to an intermediate CA, see Security policies and security settings fail after changing zone to intermediate CA in the ZENworks 2020 Troubleshooting Policy Deployment reference.
Click Next. The Generate CSR screen is displayed.
Select how you want to generate the CSR for each server:
I will generate a CSR for each server manually: If you want to generate the CSR for each server manually, click Next and go to Step 7.
NOTE:If you want to use external wildcard certificates for any of the Primary Servers, then you need to use this option and generate the CSR using any external tool such as Open SSL. ZENworks does not support the generation of CSR for wildcard certificates. For more information, see Generating a Certificate Signing Request (CSR).
Let ZENworks generate a CSR automatically for each server: If you want ZENworks to generate the CSR for all servers automatically, specify the following information and click Next:
Organization: Organization name
Organization Unit: Organizational unit name, such as a department or division
City/Locality: City name or location
State/Province: State or province name
Country/region: Country or region
Key Length: Specify the key length
Include any additional DNS names for each server: Select this option if you want the additional DNS names configured for the servers to be part of the Subject Alternative Name of their respective certificates.
NOTE:The additional DNS names for a device can be configured by selecting the Settings tab of the Primary Server.
Specify the Certificate activation date and time.
Select an appropriate certificate activation date. Three dates should be considered, the remint initiation date, the activation date, and the certificate expiry date. There should be enough time between the remint initiation date and the activation date to allow all the devices in the zone to apply the certificate remint system update. There should also be enough time between the activation date and the expiry date to facilitate troubleshooting of unexpected issues, if any.
For more information on certificate activation for mobile devices, see Additional Information on Remint CA and Change CA process for Mobile Devices.
IMPORTANT:If the certificate activation time passes before the system update is applied on the devices, these devices will not be able to communicate with the Primary Servers on which the new certificate has already been activated. You will then need to run the standalone Certificate Remint Tool on these devices. The standalone Certificate Remint tool (CRT) will not be available when the certificate remint update is baselined and deleted. Hence, you should download the tool in advance, before the update is baselined, so that it is available when needed.
If the CA has already expired, the activation time will be labeled as Immediate, and you will need to run the Certificate Remint Tool on all the devices, except the server on which the remint was initiated. On this server, the Certificate Remint Tool will be launched automatically.
IMPORTANT:As soon as the SU is assigned, the CRT will run on the new CA server automatically. You need to remint the certificate on that server first and then all other Primary Servers should be reminted and after that the other devices in any order.
Click Finish.
A message is displayed in the Zone Certificate Authority pane indicating that the Change CA operation has been initiated. As part of the Change CA process, ZENworks will create a system update whose content will be replicated to all the Primary Servers and Content Satellite Servers in the zone, based on the configured content replication schedule. The Certificate Remint Tool (CRT) will be created on the server on which the remint operation was initiated. On other Primary Servers, it will be created only after the SU is assigned, to ensure that the content is replicated.You can click the current replication status link to view the list of servers along and their respective content replication statuses. After the replication is complete, the system update will be automatically assigned to all devices in the zone.
At any time before the auto assignment happens, you can assign the system update manually by clicking the Assign Now link. This is useful if some of the content servers cannot replicate content due to various reasons.The system update will get assigned to all devices in the zone, ignoring the system update stages, if any, in the zone. For successful completion, we recommend that you ensure the content is available on the content servers before assigning the system update.
NOTE:If the system update fails because the content is not available, you need to redeploy the system update on the failed devices.
The system update status for the Primary Servers and Authentication Satellite Servers can be viewed in the ZENworks Server SSL Certificates panel. The Options column will enable you to download the CSRs, if any, and also view the future certificates. The system update status for the other devices can be tracked from the System Updates page.
If you selected the I will generate a CSR for each server manually option in Step 6, you need to generate the certificates for the Primary Servers and Authentication Satellite Servers manually. The certificate (the complete certificate chain) and the private key must then be placed in the remint repository folder of each of these servers:
On Windows: %zenworks_home%\remint-repo
On Linux: /opt/novell/zenworks/remint-repo
The file name has to be server and the extension can have the .der, .cer, .crt, .p7b, .pem, .cert extensions.The certificate can be der or pem encoded. The private key file name should be key.der.
If you selected the Let ZENworks generate a CSR automatically for each server option, you have to download the CSR for each server, get them signed by the CA, and import the future certificates using the Import Certificate action.
The activator will check the server certificate in the database and if it is imported into the database, it will serialize the server certificate as server.cer and place it in the remint repository:
On Windows: %zenworks_home%\remint-repo
On Linux: /opt/novell/zenworks/remint-repo
The CA certificate will be serialized in the same directory while applying the system update as ca.cert.
NOTE:The Generate CSR action can be used in the following scenarios:
You selected the I will generate a CSR for each server manually option in Step 6, but you want to use ZENworks to generate CSRs for one or more devices. In this case, you will need to import the certificate for the device using the Import Certificate action.
You selected the Let ZENworks generate a CSR automatically for each server option in Step 6, but you want to override the CSR for one or more devices. You can then use the newly generated CSR to request the future certificate from the CA.
To generate CSRs, select one or more servers, then click Generate CSR from the Actions menu. For more information, see Generating the CSR.
IMPORTANT:Ensure that the managed devices are refreshed after all the Primary Servers’ future certificates are available in the database and also after the subject has been changed for any of the Primary Server certificates. If the devices are not refreshed, communication between the managed devices and the Primary Servers will break.
When you initiate a Change CA, in the Zone Certificate Authority pane, a message is displayed indicating that the Change CA operation has been initiated. This message includes a Cancel button. To cancel the Change CA operation:
Click the Cancel button. A dialog is displayed asking you to confirm that you want to cancel the operation.
After you confirm, a message is displayed indicating the progress of the cancel operation. If the cancel is successful, all the buttons in the Zone Certificate Authority pane are enabled. If the cancel operation fails, a failure message is displayed. You can clear the message and try the Cancel operation again.
The Change CA operation is canceled successfully. The Cancel button will be disabled ten minutes before the activation time.
When hardware has to be upgraded, or when its approaching end-of-life, or for various other reasons, you may need to select a new certificate authority for the zone. To move the certificate authority, you must select a new Primary Server that will serve as the certificate authority, henceforth, for the zone.
To move the certificate:
Click Configuration > Certificates.
Click the Move CA Role button.
In the Move Certificate Authority dialog, click the browse icon to select the Primary Server, which must be the new CA.
Select the required server from the list of Primary Servers.
Click OK.
The Certificate server field in the Zone Certificate Authority panel will reflect the selected server as the new CA.
Using the Backup CA feature you can backup the internal certificate authority for ZENworks.
To backup the internal CA certificate:
In the Zone Certificate Authority pane. click Backup CA.
Specify a Passphrase.
This passphrase is required when you want to perform a restore. The passphrase should contain at least 10 characters.
Re-type the passphrase in the Confirm field.
Click OK.
A zip file will be downloaded to the browser’s default download directory or the user will be prompted to save the zip file in a particular directory.
Using the Restore CA feature you can restore the internal certificate authority for ZENworks on to the same server from where you have created a backup or on to another server.
To restore the internal CA certificate:
In the Zone Certificate Authority pane, click Restore CA.
Click Browse to navigate to the backup file, then select it.
Click the browse icon to select the Primary Server to which you want to restore the backed up CA.
After the CA is restored, the server will be assigned the CA role.
If the CA was restored on the server that was used to backup the file, then the CA role will be assigned to the same server. However, if you selected a new server to restore the CA, the role will be moved to the new server.
Specify the Passphrase that was used while creating the backup.
Click OK.
The Certificate server field in the Zone Certificate Authority panel will now reflect the chosen server as the new CA.
If the certificate authority certificate expires, devices will be unable to establish an SSL connection to the server. It is important that before this occurs, you renew or remint the internal CA certificate and distribute this certificate to your managed devices.
IMPORTANT:Before initiating the CA remint, you need to ensure that the Primary Servers and the SSL-enabled Satellite Servers are at the same version.
When you remint the CA, the Primary Server and Authentication Satellite Server certificates will get reminted automatically. You need to ensure that the IP or the DNS of the Satellite Servers are not changed after the CA remint and before the activation of the CA.
In the case of an internal CA, one of the Primary Servers in the zone will have the CA role. The certificates for all Primary Servers will be issued by the CA Server.
To remint the internal CA certificate:
In the Zone Certificate Authority pane, click Remint CA.
Confirm that you want to remint the CA by selecting Yes, I want to remint the certificate authority. The remaining fields are activated.
Specify the following information:
Common name: Specify a common name for the CA. By default, the zone name is displayed.
Key length: Specify the key length.
Valid for (years): Specify the number of years for which the certificate should be valid. Specify a value between 1 to 10. For MDM Servers, to ensure communication with iOS and Mac devices, the certificate validity duration should not exceed 2 years.
Select Include any additional DNS names for each server, if you want the additional DNS names configured for the servers to be part of the Subject Alternative Name of their respective certificates.
NOTE:The additional DNS names for a device can be configured by selecting the Settings tab of the device.
Specify the Certificate activation date and time.
You can select any date that is prior to the expiration of the current CA. Ensure that you include adequate time for the associated system update to be applied on all the devices.
IMPORTANT:If the certificate activation time passes before the system update is applied on the devices, these devices will not be able to communicate with Primary Servers on which the new certificate has already been activated. You will then need to run the Certificate Remint Tool on these devices.
If the CA has already expired, the activation time will be labeled as Immediate, and you will need to run the Certificate Remint Tool on all the devices apart from the new CA server. On the new CA server, the Certificate Remint Tool will be launched automatically. For additional information on the Remint CA process for mobile devices, see Additional Information on Remint CA and Change CA process for Mobile Devices.
Click OK.
A message is displayed in the Zone Certificate Authority pane, indicating that the Remint CA operation has been initiated. As part of the Remint CA process, ZENworks will create a system update, the content of which will be replicated to all the Primary Servers and Content Satellite Servers in the zone, based on the configured content replication schedule. You can click the current replication status link to view the list of servers along with their respective content replication statuses. After the replication is complete, the system update will be automatically assigned to all devices in the zone. The CRT will be created on the new CA server. On other Primary Servers, it will be created only after the SU is assigned, to ensure that the content is replicated.
At any time before the auto assignment happens, you can assign the system update manually by clicking the Assign Now link. The system update will get assigned to all devices in the zone. For successful completion, we recommend that you ensure that the content is available on the content servers before assigning the system update.
NOTE:If the system update fails because the content is not available, you need to redeploy the system update on the failed devices.
The system update status for the Primary Servers and Authentication Satellite Servers can be viewed in the ZENworks Server SSL Certificate panel. The future certificate for these servers can be viewed from the Options column. The system update status for the other devices can be tracked from the System Updates page.
IMPORTANT:Ensure that the managed devices are refreshed after all the Primary Servers’ future certificates are available in the database and also after the subject has been changed for any of the Primary Server certificates. If the devices are not refreshed, communication between the managed devices and the Primary Servers will break.
When you Initiate a CA remint, in the Zone Certificate Authority pane, a message is displayed indicating that the CA remint operation has been initiated. This message includes a Cancel button. To cancel the CA remint:
Click the Cancel button. A dialog is displayed asking you to confirm that you want to cancel the operation.
After you confirm, a message is displayed indicating the progress of the cancel operation. If the cancel is successful, all the buttons in the Zone Certificate Authority pane are enabled. If the cancel operation fails, a failure message is displayed. You can clear the message and try the Cancel operation again.
The CA remint operation is canceled successfully. The Cancel button will be disabled ten minutes before the activation time. Though you cannot cancel the CA Remint, you can cancel the system-update for the device using the Ignore Device option from System Update page.
The AddExternalCAToTrustStore configure action adds an external CA certificate to the ZENworks trust store. The configure action accepts the following parameters:
file path: Path to the new external CA file. This is a mandatory field.
alias: Alias is a unique identifier that should be used for the certificate file. This is an optional field.
The configure action can be executed in any of the following way:
novell-zenworks-configure -c AddExternalCAToTrustStore
This command adds an external CA certificate to the ZENworks trust store. If a certificate with same alias already exists, then this command does not overrides the existing certificate in the trust store.
novell-zenworks-configure -c AddExternalCAToTrustStore -Z
This command adds an external CA certificate to the ZENworks trust store. If a certificate with same alias already exists, then this command overrides the existing certificate in the trust store.
NOTE:After reminting the certificate, ensure that you execute the AddExternalCAToTrustStore command again.
During a Remint CA or Change CA operation:
A new CA certificate is created and a System Update (SU) is assigned to the mobile devices. The System Update status for all the devices will be Update Assigned.
The server sends the new certificate to mobile devices that sync with the ZENworks MDM Server. This will be used to trust the Primary Server after the CA certificate activation date. The devices then move to the Pending Certificate Activation stage.
As the communication between the mobile devices and the Primary Server is authenticated using certificates, when the CA certificate is activated on the Primary Server, the database is also updated with information about the new MDM Identity certificate that is to be issued to all the mobile devices.
When the mobile device syncs for the first time after the CA certificate is activated, the Primary Server will initiate the Simple Certificate Enrollment Protocol (SCEP) activity with which the device requests for the new MDM Identity certificate.
When the SCEP activity is completed, the new certificate is issued to the devices. At this stage, the devices will start communicating with the MDM Server using this new certificate.
As soon as the new certificate is issued to the devices, the SU process is marked as Update Completed.
For details on SCEP, see https://tools.ietf.org/html/draft-gutmann-scep-16.
Enrolled mobile devices can sync with the ZENworks MDM Server in any one of the following ways:
Automatically: based on the specified mobile device refresh schedule.
Manually: by initiating a Refresh Device quick task from ZCC or by clicking the Refresh icon either on the ZENworks Agent app for an Android device or the End-user portal for an iOS device.
NOTE:While specifying the CA activation date, ensure that you provide adequate time for all the devices in the zone to sync with the ZENworks MDM Server.
However, if certain mobile devices are offline and does not sync with the ZENworks server during the system update (as a part of the Remint CA or Change CA operation) process, then based on the stage at which these devices are offline, you need to perform the relevant action:
If the device is offline when the status of the device is Update Assigned for certificate update and the CA activation date has passed: The devices have to be re-enrolled so that they can continue to communicate with the MDM Server using the new certificate.
If the device is offline when the status of the device is Pending Certificate Activation and the CA activation date has passed: No action needs to be performed. As soon as the devices sync with the ZENworks MDM Server, the new MDM identity certificate is issued to the devices. The devices will communicate with the MDM Server using this new certificate.
NOTE:To communicate with iOS 13.x and Mac devices, the MDM Server certificate should meet certain criteria. For more information, see Apple Support. To ensure that the server certificate meets this criteria, you can remint the server certificate alone. During a server certificate remint, new certificates are not issued to mobile devices, as these devices trust the CA certificate.
If your zone uses an Internal CA, then during server certificate remint, you only need to specify the validity and the remaining criteria will be handled by ZENworks. If your zone uses an external CA, then you need to ensure that the certificate meets all the required criteria. For more information, see Reminting Server Certificates.