Agent requires To manage agents, you need to create the following certificates to operate properly:
- Axidian CertiFlow Agent CA is – a root root certificate used required to issue certificates for to user workstations where Agents will be are deployed.
- Axidian CertiFlow Agent Agent SSL is – an authentication certificate signed by root certificate . Agent SSL certificate is and required to establish a two-way secure connection between the server and a workstation with where Agent installedis deployed.
- Workstation certificate – a certificate, which is issued automatically upon Agent registration. When sending a request to the server, the client workstation provides its certificate and the CertiFlow server verifies if the certificate is authentic. Then the server marks this Agent as trusted and is ready to assign tasks.
Agent certificates are created with IndeedCM.Agent.Cert.Generator.exe utility from the Axidian CertiFlow installation package.
Run the- when a client agent is registered. To be able to assign tasks to a workstation, the CertiFlow server verifies the authenticity of a workstation certificate and adds the workstation to the trusted list.
Creating agent certificates
To create agent certificates, run IndeedCM.Agent.Cert.Generator.exe
from the command line onon the Axidian CertiFlow server
. Useand set the following parameters:
/root /csn /installToStore.Generating root and SSL certificates
/root – generates an agent root certificate.
/rootKeySize (optional) – sets a private key length for the root certificate. 4096 bits by default, 512 to 8192 bits is possible.
/sn <DNS-server name> – generates an SSL certificate for the specified DNS server name.
/csn – generates an SSL certificate for the server where the utility is running.
The /installToStore publishes the certificates issued by the utility to the server certificate storage:
/sslKeySize (optional) – sets a private key length for SSL certificate. 2048 bits by default, 512 to 4096 bits is possible.
/pwd (optional)– sets a password for SSL certificate.
/installToStore (optional)–publishes issued certificates to the server's certificate storages:
- Agent CA certificate is published
- to Trusted Root Certification Authorities.
- Agent SSL certificate is
- published to the Personal certificates storage of the workstation
- where Axidian CertiFlow server
- is deployed.
2. Axidian CertiFlow Agent CA.key file will appear in the utility folder. The file contains the Axidian CertiFlow Agent CA certificate image and certificate key value.
3. Place the Axidian CertiFlow Agent CA certificate to Trusted Root Certification Authorities on all user workstations.
| Scroll Pagebreak |
|---|
| Info |
|---|
You can use the Active Directory Group Policy engine to distribute the certificate to user workstations. |
4. Set up a secure connection to Agent site:
- Switch to IIS Manager.
- Select Axidian CertiFlow Agent Site, go to Bindings.
- Select binding to 3003 port and click Edit.
| Warning |
|---|
3003 port is set by default. If you use another port, you will need to create and configure a new binding for it. Make sure that the port is open for incoming connections in firewall. |
- Define Axidian CertiFlow Agent SSL as SSL certificate and click OK.
Generating SSL certificate with an existing Agent CA root certificate
/rootKey – sets the path to the root certificate file.
/ssl – generates an SSL certificate.
/sn <DNS-server name> – generates an SSL certificate for the specified DNS server name.
/csn – generates an SSL certificate for the server where the utility is running.
/pwd (optional) – sets a password for SSL certificate.
/sslKeySize (optional) – sets a private key length for SSL certificate. 2048 bits by default, 512 to 4096 bits is possible.
/installToStore (optional) – publishes issued SSL certificates to the Personal certificates storage of the workstation where Axidian CertiFlow server is deployed.
| Code Block | ||||
|---|---|---|---|---|
| ||||
Cm.Agent.Cert.Generator.exe /root /csn /installToStore |
The following files show up in the utility directory:
- agent_root_ca.json – root certificate with private key in JSON format.
- agent_root_ca.cer – agent root certificate.
- agent_root_ca.key – private key of agent root certificate.
- agent_ssl_cert.cer – agent SSL-certificate.
- agent_ssl_cert.key – private key of agent SSL-certificate.
- agent_ssl_cert.pfx – SSL-certificate with private key in PFX format.
| Info |
|---|
Publish the Agent CAcertificate (agent_root_ca.cer) to Trusted Root Certification Authorities on Axidian CertiFlow server. |
If you have multiple Axidian CertiFlow server with Agents, use the same root certificate for all servers and separate SSL certificates for each server.
To create an SSL certificate for
additional server, copy the folder withanother server:
- Copy the IndeedCM.Agent.Cert.Generator.exe
- folder and agent_root_ca.json file and move it to required server.
- Run the following command:
| Code Block | ||
|---|---|---|
| ||
IndeedCMCm.Agent.Cert.Generator.exe /ssl /csn /rootKey <path to folder containing root certificate key>agent_root_ca.json file> /ssl /sn <DNS-server name IndeedCM> /installToStore |
Configuring secure connection to the agent services site
- Open the IIS Manager, select IndeedCM Agent Site and go to Bindings.
- Select binding to 3003 port and click Edit.
- Define Axidian CertiFlow Agent SSL as SSL certificate and click OK.
| Note | ||
|---|---|---|
3003 port is set by default. If you use another port, create and configure a new binding for this port. The port must be open to incoming connections in the firewall. SSL/TLS certificate can be an RSA certificate issued by any trusted CA for Axidian CertiFlow server:
| ||
| Code Block | ||
| ||
| IndeedCM.Agent.Cert.Generator.exe /ssl /csn /rootKey "C:\AgentCertGenerator\Indeed CM Agent CA.key" /installToStore |