ITMS Administrator Group

 View Only
Back to discussions
Expand all | Collapse all

Questions about https, CEM and certificate distribution

  • 1.  Questions about https, CEM and certificate distribution

    Posted Jul 25, 2016 05:54 AM

    Hello community,

    I am working on the CEM concept in Altiris ITMS 8.0. First I need to forward the communication from HTTP to HTTPS.
    I successfully installed the SSL certificate issued by our internal CA.I enabled the HTTPs codebase publishing for package servers. As far as I see only NS server published HTTPS basecodes. I am planning to add only 1 or 2 Site Severs to Internet Site.
    I have some questions about settings for site servers as the manual does not talk about it clearly enough.
    In 'Global Site Server Settings' there are 2 options in 'Certificate rollout' section.
    For intranet certificate the default binding port is 444, for CEM certificate the binding port is 443.
    In manual there only one sentence in regards to intranet certificate:'The intranet certificate is delivered to all site servers.'

    It does not mention its purpose.

    Questions I have are:

    • If I redirect my agent to use HTTPS and enable publishing HTTPS basecodes, but I do not install the Intranet certificate, will my internal (non-CEM) clients be still able to download over HTTP or UNC ?
    • If I redirect my agent to use HTTPS and enable publishing HTTPS basecodes, but I do install the CEM certificate, will my external (CEM) clients be able to download over HTTPS via gateway?
    • Do I have to install the intranet certificate to all site servers ?
    • Can I use the same port 443 for the intranet and CEM certificates ?
    • Can I use the same certificate issued by my internal CA as master certificate to sign the intranet certificate ?
    • Can I use the same certificate issued by my internal CA as CEM certificate ?

    Since I am new to the certificate world, before I proceed with CEM concept I need to ensure that I fully understand all technical nuances.

    Thanks in advance,
    Tomasz



  • 2.  RE: Questions about https, CEM and certificate distribution

    Posted Aug 15, 2016 12:55 PM

    I want to say that the port specified in global site server settings is a bug since the default HTTPS port is 443.  Mine also shows 444 for the port.

    1. As long as you still have the Publish UNC codebase and Publish HTTP codebase options checked under the Package Service Settings page, you should be able to.
    2. As long as all of the certificates in the certificate chain (CA and CEM cert) are trusted by the workstation with the agent, it should be able to download via HTTPS through the gateway.  Agents will not be able to use CEM unless the entire certificate chain is trusted and HTTPS is working.
    3. From what I understand, if you are planning on using HTTPS codebases, you will need to have the certificates on the site servers and a SSL certificate for the site server itself loaded into IIS bindings.
    4. Yes, this should be 443 and I'm assuming this is a bug in the global site server settings page.

    Honestly I'm not sure how to answer your last two questions as I do not use an internal CA for my CEM implementation.  I use a self-signed certificate since we do not have an internal CA.  From what I understand of certficates and from looking at the self-signed setup I have, you will need to have a separate certificate signed by your CA.  Someone else may be able to chime in and clarify this since I'm using the other method of CEM (self-signed).  Otherwise I would recommend calling support and asking your questions.