To manage agents, you need to create the following certificates:
- Axidian CertiFlow CM Agent CA – a root certificate required to issue certificates to user workstations where Agents are deployed.
- Axidian CertiFlow CM Agent SSL – an authentication certificate signed by root certificate and . This certificate is required to establish a two-way secure connection between the CertiFlow server and a the workstation where Agent is deployed.
- Workstation certificate – a certificate, which is issued automatically when a client agent is registered. To be able to assign tasks to a workstation, the CertiFlow server verifies the authenticity of a workstation certificate and adds the . Once the certificate is verified, the server adds this workstation to the trusted list.
To create agent certificates, run IndeedCM:
- Run the Cm.Agent.Cert.Generator.exe
- utility on the Axidian CertiFlow server
- .
- Generate root and SSL certificates with the following parameters:
Generating root and SSL certificates
/root – generates
an agenta root certificate.
/rootKeySize (optional) – sets a private key length for
root certificate. Default value is 4096 bits
by default, other supported values are from 512 to 8192 bits
is possible.
/sn <DNS
server name> – generates an SSL certificate for the specified DNS server name.
/csn – generates an SSL certificate for the server where the utility is running.
/sslKeySize (optional) – sets a private key length for an SSL certificate. Default value is 2048 bits by default, other supported values are from 512 to 4096 bits
.
/pwd (optional)– sets a password for an SSL certificate.
/installToStore (optional)–publishes issued certificates to the server's certificate storages:
- CM Agent CA certificate is published to Trusted Root Certification Authorities.
- CM Agent SSL certificate is published to the Personal certificates storage of the workstation where Axidian CertiFlow server is deployed.
You can also generate an SSL certificate
with an existing Agent CAvia existing root certificate. Use the following parameters:
/rootKey – sets the path to the root certificate file.
/ssl – generates an SSL certificate.
/sn <DNS
server name> – generates an SSL certificate for the specified DNS server name.
/csn – generates an SSL certificate for the server where the utility is running.
/pwd (optional) – sets a password for SSL certificate.
/sslKeySize (optional) – sets a private key length for SSL certificate. Default value is 2048 bits
, other supported values are from 512 to 4096 bits
is possible.
/installToStore (optional) – publishes issued SSL certificates to the Personal certificates storage of the workstation where Axidian CertiFlow server is deployed.
| Code Block | ||||
|---|---|---|---|---|
| ||||
Cm.Agent.Cert.Generator.exe /root /csn /installToStore |
The following files show up should appear in the utility directory:
- agent_root_ca.json – root certificate with private key in JSON format.
- agent_root_ca.cer – agent root certificate.
- agent_root_ca.key – private key of agent root certificate.
- agent_ssl_cert.cer – agent SSL - certificate.
- agent_ssl_cert.key – private key of agent SSL - certificate.
- agent_ssl_cert.pfx – SSL - certificate with private key in PFX format.
If you have multiple Axidian CertiFlow server servers with Agents, each server must have a specific SSL certificate. To issue an SSL certificate, use the same CM Agent CA root certificate. Root certificate must be the same for all servers and separate SSL certificates for each server.
To create an SSL certificate for another server or to renew an expired certificate:
- Copy Transfer the IndeedCMdirectory with Cm.Agent.Cert.Generator.exe folder utility and the agent_root_ca.json file and move it to required the server.
- Run the following command:
| Code Block | ||
|---|---|---|
| ||
Cm.Agent.Cert.Generator.exe /rootKey <path to agent_root_ca.json file> /ssl /sn <DNS- server name IndeedCM>Axidian CertiFlow> /installToStore |
Configuring secure connection to the agent services site
- Open the IIS Manager, select IndeedCM Agent Axidian CertiFlow Agent Site and go to Bindings...
- Select binding to 3003 port and click Edit...
- Define Axidian CertiFlow CM Agent SSL as SSL certificate and click OK.
| Note |
|---|
3003 port is set by default. If you use another port, create and configure a new binding for this port. The port must be open to incoming connections in the firewall. SSL/TLS certificate can be an RSA certificate issued by any trusted CA for Axidian CertiFlow server:
|
