Alliq nur Imanin Aji 0 Posted January 9, 2020 Posted January 9, 2020 I would like to install SSL for HTTPS on MDM Server, I have already crate PFX File, and put it on connector (server.xml) But my hhtps MDM is still "Not Secure" What should I do??? Anyway, I have already successfully install SSL on ESMC.
Command IT 7 Posted January 15, 2020 Posted January 15, 2020 +1 I can find information for ERA 6.5 but it's says don't use this process for ESMC 7 John
ESET Staff Mirek S. 18 Posted January 15, 2020 ESET Staff Posted January 15, 2020 To have "secure" as in trusted by browser, You need to purchase 3rd party certificate from common internet certification authority. One of such certificate authorities is let's encrypt who provide certificates for free. ESMC creates self-signed certificates which are not trusted unless their root CA is imported into device certificate store. @Command IT What You probably mean was certificate chain installation which was required till 6.5 due to TLS layer we used. In 7.0+ we use different TLS layer on windows (openssl) and PKCS#12 is newly required to contain entire certificate chain including root CA - system certificate store is not used anymore. Peter Randziak 1
Command IT 7 Posted January 15, 2020 Posted January 15, 2020 (edited) Thanks Mirek. I have a certificate from GoDaddy, but if I configure in the MDM policy it says it's not a valid chain. Is that because GoDaddy certificates require an Intermediate certificate? John Edited January 15, 2020 by Command IT
Perry 2 Posted January 16, 2020 Posted January 16, 2020 (edited) Hi, You should create a full chain certificate which contains SSL cert, intermediate, root and private key. - Download XCA and install it. - Download OpenSSL and install it. 1.) Create a empty file (C:\temp\cert-chain.txt) on your PC and past the following inside it: -----BEGIN CERTIFICATE----- (Your Primary SSL certificate from C:\temp\your_domain_name.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate from C:\temp\TheIntermediateCA.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate part from C:\temp\TheTrustedRoot.crt) -----END CERTIFICATE----- 2.) Now replace the content inside the brackets with your certificates (which you can export via XCA; PEM txt format). The order above is VERY important so do not mix it! 2.) Export the private key (unencrypted in text format) with XCA from your certificate and store it inside C:\temp\server.pemkey 3.) Now merge everything together as pkcs12 (filename extension for PKCS #12 files is .p12 or .pfx). To do that open a CMD (run as admin) and perform: cd C:\OpenSSL-Win32 openssl pkcs12 -export -inkey C:\temp\server.pemkey -in C:\temp\cert-chain.txt -password pass:ABCD -out C:\temp\certificate(chain_and_key).pfx 4.) Your PFX file is now ready to be used. Edited January 16, 2020 by Perry Mirek S. and Peter Randziak 2
ESET Staff Mirek S. 18 Posted January 16, 2020 ESET Staff Posted January 16, 2020 Hello, As @Perry noted 3rd party certification authorities typically provide pem or pkcs#12 web certificate which does not contain root CA as that is not required for common webservers - this certificate is typically preinstalled on devices so that chain of trust can be established. MDM does a "bit more" than typical webserver - during enrollment we also install root CA to enrolled device to establish trust (we can't guess whether certificate is selfsigned or signed by CA already trusted by device) so we have extra requirement. I'll look into improving documentation wrt to 3rd party certificates as openssl command line how to convert between formats and appending root CA to existing certificates should help some users. HTH Peter Randziak 1
Command IT 7 Posted January 17, 2020 Posted January 17, 2020 (edited) Thanks @Perry and @Mirek S I downloaded the GoDaddy CA certs from https://ssl-ccp.godaddy.com/repository?origin=CALLISTO and followed the instructions and it now looks like it's working John Edited January 17, 2020 by Command IT
Alliq nur Imanin Aji 0 Posted February 14, 2020 Author Posted February 14, 2020 Thanks all, But Basically my problem is not on PFX file. I have already successfully install on my ESMC. But, I dunno how to install it on MDM Server. (I use linux) Thanks,
ESET Staff Mirek S. 18 Posted February 14, 2020 ESET Staff Posted February 14, 2020 Hello, You can install MDM HTTPS certificate via MDM policy. https://help.eset.com/esmc_admin/70/en-US/admin_pol_for_mdc_apns.html HTH
Recommended Posts