Versions Compared

Old Version 37

changes.mady.by.user Daliya Agletdinova

Saved on

compared with

New Version 38

changes.mady.by.user Mikhail Yakovlev

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To manage agents, create the following certificates:

  • Axidian CertiFlow CM Agent CA  a root certificate required to issue certificates to user workstations where Agents are deployed.
  • Axidian CM CertiFlow Agent SSL an authentication certificate signed by root certificate. This certificate is required to establish a two-way secure connection between the CertiFlow server and the workstation where Agent is deployed. 
  • Workstation certificate – a certificate, which is issued automatically when a client agent is registered. To be able to assign tasks to a workstation, the CertiFlow server verifies the authenticity of a workstation certificate. Once the certificate is verified, the server adds this workstation to the trusted list. 

To create agent certificates:

  1. Run the IndeedCMCm.Agent.Cert.Generator.exe utility on the Axidian CertiFlow server. 
  2. Generate root and SSL certificates with the following parameters:

/root generates a root certificate. 
/rootKeySize (optional) sets a private key length for root certificate. Default value is 4096 bits, other supported values are from 512 to 8192 bits.
/sn <DNS - server name> generates an SSL certificate for the specified DNS server name.
/csn generates an SSL certificate for the server where the utility is running.
/sslKeySize (optional) sets a private key length for an SSL certificate. Default value is 2048 bits by default, other supported values are from 512 to 4096 bits.
/pwd (optional) sets a password for an SSL certificate.
/installToStore (optional)publishes issued certificates to the server's certificate storages:

    • CM Agent CA certificate is published to Trusted Root Certification Authorities.
    • CM Agent SSL certificate is published to the Personal certificates storage of the workstation where Axidian CertiFlow server is deployed.

You can also generate an SSL certificate via existing root certificate. Use the following parameters: 

/rootKey sets the path to the root certificate file.
/ssl generates an SSL certificate. 
/sn <DNS - server name> generates an SSL certificate for the specified DNS server name.
/csn – generates an SSL certificate for the server where the utility is running.
/pwd (optional) sets a password for SSL certificate.
/sslKeySize (optional) sets a private key length for SSL certificate. 2048 bits by default, 512 to 4096 bits is possible.
/installToStore (optional) publishes issued SSL certificates to the Personal certificates storage of the workstation where Axidian CertiFlow server is deployed.

Code Block
languagepowershell
titleExample
Cm.Agent.Cert.Generator.exe /root /csn /installToStore

The following files should appear in the utility directory: 

  • agent_root_ca.json root certificate with private key in JSON format.
  • agent_root_ca.cer agent root certificate.
  • agent_root_ca.key private key of agent root certificate.
  • agent_ssl_cert.cer agent SSL certificate.
  • agent_ssl_cert.key private key of agent SSL certificate.
  • agent_ssl_cert.pfx SSL certificate with private key in PFX format. 
Info

Publish the CM Agent CAcertificate (agent_root_ca.cer) to Trusted Root Certification Authorities on Axidian CertiFlow server.

Если в вашем окружении используется несколько серверов Axidian CertiFlow с агентами, то на имя каждого сервера требуется выпустить SSL-сертификат для сервисов агента, используя общий корневой сертификат CM Agent CA (корневой сертификат сервисов агента на всех серверах должен быть один и тот же).

Для создания SSL-сертификата дополнительного сервера или обновления истекшего сертификата перенесите каталог с утилитой Cm.Agent.Cert.Generator и корневой сертификат сервисов агента с закрытым ключом в формате JSON (agent_root_ca.json) на сервер и выполните команду:

If you have multiple Axidian CertiFlow servers with Agents, use the same root certificate for all servers and specific SSL certificates for each server.

To create an SSL certificate for another server:

  1. Copy the IndeedCM.Agent.Cert.Generator.exe folder and agent_root_ca.json file and move them to required server.
  2. Run the following command:
Code Block
languagepowershell
Cm.Agent.Cert.Generator.exe /rootKey <path to agent_root_ca.json file> /ssl /sn <DNS- server name IndeedCM>Axidian CertiFlow> /installToStore

Configuring secure connection to the agent services site

  1. Open the IIS Manager, select  IndeedCM Agent CertiFlow Agent Site and go to Bindings...
  2. Select binding to 3003 port and click Edit...
  3. Define Axidian CertiFlow CM Agent SSL as SSL certificate and click OK.
Note

3003 port is set by default. If you use another port, create and configure a new binding for this port. The port must be open to incoming connections in the firewall.

SSL/TLS certificate can be an RSA certificate issued by any trusted CA for Axidian CertiFlow server:

  • Subject should contain the Common name value (FQDN of the system server).
  • SAN (Subject Alternative Name) should should contain the DNS -nameName value (FQDN of the system server). 
  • Enhanced Key Usage should contain the Server Authentication (1.3.6.1.5.5.7.3.1) value.