ZENworks Primary Servers use SSL to securely transport data among the various ZENworks components.
ZENworks provides the choice to use an external Certificate Authority (CA) or an internal ZENworks CA for your certificates. Making this decision depends on the assessment of various factors, including the business needs, and a thorough understanding of the pros and cons offered by these options:
If you choose to utilize the internal ZENworks CA, the Public Key Infrastructure (PKI) needed to support the CA will be automatically created by ZENworks on the first Primary Server and it will be used throughout the life of the Management Zone. The current lifespan of the internal certificate is 2 years.
Key benefits of using the internal CA include the following:
Ease of installation: When using the internal CA, the necessary certificates are automatically generated and trusted as a part of the ZENworks Primary Server installation process. Additionally, when other Primary Servers or Authentication Satellites are brought online in a zone using an internal CA, the certificates are automatically generated.
Simplified remote management: When using the internal CA, there is no need to generate certificates for each administrator who will remotely manage the device; this is handled automatically. If you use an external CA, you must mint a User Certificate for each administrative user, and they must provide that certificate each time they remote manage a device.
NOTE:It is possible to remove this requirement by configuring the policy so that it does not require this certificate. However, when this is done, the visible notification (if configured) will show the remote management session being performed by an Unknown User.
Cost: There is no cost per certificate when you use an internal CA.
Key drawback of using the internal CA include the following:
Ownership: The security and accountability of Public Key Infrastructure (PKI) used by the internal CA is a responsibility of the customer
Trust: Normally, external parties will not trust a digital certificate signed by an internal CA. One by-product of this is that your administrators will receive an SSL certificate warning.
Certificate Revocation: Certificate Revocation is currently not supported by ZENworks.
Fault Tolerance: There is only a single internal CA in the domain. If this server is unavailable, you will not be able to perform any operations that require minting of certificates. For instance, you would be unable to install a new Primary Server if the Internal CA is down. This also means that you need to ensure that you have a good backup of the CA in case of a disaster.
If you choose to use an External Certificate Authority, it is your responsibility to obtain the necessary certificates from the External Certificate Authority and provide them to ZENworks as part of the installation. Currently, ZENworks has the following requirements for using external certificates:
The root certificate should be a self-signed certificate.
Each ZENworks server should have certificates issued by the same root certificate.
The following are the advantages of using an external CA:
Trust: External parties normally trust a digital certificate signed by a trusted external CA, such as VeriSign, Thwate, Comodo, and SecureNet. This means that when you access ZENworks Control Center or external zones subscribed to the zone, you will receive a certificate warning.
Ownership: The security and management of the public key infrastructure required for the CA is the responsibility of the external CA.
Fault Tolerance: When using an external CA, all Primary Servers are the same. You do not have to worry about whether the first server is up when provisioning new servers.
The following are the disadvantages of using an external CA:
Certificate Expiration: Unlike the internal CA, the expiration date on most externally issued certificates tends to be much shorter. Many external certificates must be renewed on an annual basis. It is critical that the certificates be renewed before they expire and that they then be added to the ZENworks system in enough time for the agents to receive the updated certificates; otherwise devices will lose the connection to the server.
Cost: Assuming that you are using a public CA (such as Verisign, Thawte, or Entrust), there will be a cost associated with each certificate that you need to issue.
Remote Management: In order to secure remote management sessions to be established, ZENworks expects the administrators to present a certificate to the device to validate their identity. If you are not using an internal CA you either need to manually issue user certificates for each administrator or you will have to downgrade the security options in the Remote Management policy.
NOTE:It is possible to remove this requirement by configuring the policy not to require this certificate. However, when this is done the visible notification (if configured) will show the remote management session being performed by an Unknown User.