Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Agent requires To manage agents, create the following certificates to operate properly:

  • Indeed CM Agent CA , which is the root Indeed CM Agent certificate. This is used  a root certificate required to issue certificates for to user workstations where Agent instances are to be installed toAgents are deployed.
  • Indeed CM Agent SSL is the an authentication certificate , signed by the root certificate. This certificate is required to establish a bitwo-directional way secure connection between the CertiFlow server and the workstation with where Agent installed. The certificate is issued for the workstation with Indeed CM server installed.is deployed. 
  • Workstation certificate – a certificate, which is issued automatically upon Agent registration. A client computer provides its certificate to server by sending a request, and the Indeed CM server checks for the certificate authenticity. If correct, the server marks the Agent at the workstation as trusted one and becomes ready to send tasks to it.

Agent certificates are created with IndeedCM.Agent.Cert.Generator.exe utility from the Indeed CM installation package.

  • when a client agent is registered. To be able to assign tasks to a workstation, the CertiFlow server verifies the authenticity of a workstation certificate. Once the certificate is verified, the server adds this workstation to the trusted list. 

To create agent certificates:

  1. Run the CmRun the IndeedCM.Agent.Cert.Generator.exe utility in command line as administrator utility on the Indeed CM server, using Axidian CertiFlow server. 
  2. Generate root and SSL certificates with the following parameters:

/root

/csn /rootKeySize 2048 /sslKeySize 2048 /installToStore. Wait for the utility to finish operation. Note

The /csn parameter initiates the certificate issue procedure for DNS name of the workstation the utility is run at. To generate certificates for another workstation, run the utility with /sn <DNS name of workstation> parameter.

generates a root certificate. 
/rootKeySize (optional) sets a private key length for root certificate. Default value is 4096 bits, other supported values are from 512 to 8192 bits.
/sn <DNS server name> generates an SSL certificate for the specified DNS server name.
/csn generates an SSL certificate for the server where the utility is running.
/sslKeySize (optional) sets a private key length for an SSL certificate. Default value is 2048 bits by default, other supported values are from 512 to 4096 bits.
/pwd (optional) sets a password for an SSL certificate.
/installToStore (optional)publishes issued certificates to the server's certificate storages:

    • CM Agent CA certificate is published

The /installToStore publishes the certificates issued by the utility to the server certificate storages:

 The Indeed CM Agent CA certificate is placed Indeed
    • to Trusted Root Certification Authorities.
 The
    • CM Agent SSL certificate is
placed to personal certificate
    • published to the Personal certificates storage of the workstation
with Indeed CM server installed.
    • where Axidian CertiFlow server is deployed.

You can also generate an SSL certificate via existing root certificate. Use the following parameters: 

/rootKey sets the path to the root certificate file.
/ssl
generates an SSL certificate. 
/sn <DNS server name>
generates an SSL certificate for the specified DNS server name.
/csn
– generates an SSL certificate for the server where the utility is running.
/pwd
(optional) sets a password for SSL certificate.
/sslKeySize
(optional) sets a private key length for SSL certificate. Default value is 2048 bits, other supported values are from 512 to 4096 bits.
/installToStore
(optional) publishes issued SSL certificates to the Personal certificates storage of the workstation where Axidian CertiFlow server is deployed.

Code Block
languagepowershell
titleExample
Cm.Agent.Cert.Generator.exe /root /csn /installToStore

The following files should appear in the utility directory: 

  • agent_root_ca.json root certificate with private key in JSON format.
  • agent_root_ca.cer agent root certificate.
  • agent_root_ca.key private key of agent root certificate.
  • agent_ssl_cert.cer agent SSL certificate.
  • agent_ssl_cert.key private key of agent SSL certificate.
  • agent_ssl_cert.pfx SSL certificate with private key in PFX format. 

If you have multiple Axidian CertiFlow servers with Agents, each server must have a specific SSL certificate. To issue an SSL certificate, use the CM Agent CA root certificate. Root certificate must be the same for all servers.

To create an SSL certificate for another server or to renew an expired certificate:

  1. Transfer the directory with Cm.Agent.Cert.Generator utility and the agent_root_ca.json file to the server.
  2. Run the following command:
Code Block
languagepowershell
Cm

2. The Indeed CM Agent CA.key file shall appear in the utility folder. The file contains the Indeed CM Agent CA certificate image and certificate key value. 
3. Place the Indeed CM Agent CA certificate to Trusted Root Certification Authorities at all user workstations. 

Scroll Pagebreak

Info

The Active Directory group policy mechanism can be used to distribute the certificate to user workstations.

4. Set up a secure connection to Agent site. To do this: 

    • Switch to IIS Manager.
    • Select Indeed CM Agent Site, then switch to Bindings section.
    • Select the binding to 3003 port and click Edit.
Warning

Port 3003 is set by default. If you use another port, then you’d have to create and configure a new binding for it. Make sure that the port is open for incoming connections in firewall.

    • Define Indeed CM Agent SSL as certificate and click OK.

5. Figure 16 shows an example of setting a binding for Indeed CM Agent Site site.

Image Removed

Figure 16 – Setting a secure connection to Indeed CM server to work with Agents.

6. If your environment has more than one Indeed CM server with Agents, then a separate Agent SSL certificate is required for each server. The root certificate is one and the same for all the servers. To create a SSL certificate for additional server, copy the folder with IndeedCM.Agent.Cert.Generator.exe utility and Indeed CM Agent CA.key root certificate key file, then execute the following command: 

IndeedCM.Agent.Cert.Generator.exe /ssl /сsn /rootKey "C:\AgentCertGenerator\Indeed CM Agent CA.key" /sslKeySize 2048 /installToStore
Code Block
languagepowershell
IndeedCM.Agent.Cert.Generator.exe /ssl /сsn /rootKey "<path to folder containing root certificate key>" /sslKeySize 2048 /installToStore
Info
iconfalse
titleExample:
 agent_root_ca.json file> /ssl /sn <DNS server name Axidian CertiFlow> /installToStore

Configuring secure connection to the agent services site

  1. Open the IIS Manager, select Axidian CertiFlow Agent Site and go to Bindings...
  2. Select binding to 3003 port and click Edit...
  3. Define CM Agent SSL as SSL certificate and click OK.
Note

3003 port is set by default. If you use another port, create and configure a new binding for this port. The port must be open to incoming connections in the firewall.

SSL/TLS certificate can be an RSA certificate issued by any trusted CA for Axidian CertiFlow server:

  • Subject should contain the Common name value (FQDN of the system server).
  • Subject Alternative Name should contain the DNS Name value (FQDN of the system server). E.g. certiflow.demo.local or *. demo.local as a Wildcard certificate.
  • Enhanced Key Usage should contain the Server Authentication (1.3.6.1.5.5.7.3.1) value.

Image Added