Creating agent certificates

To manage agents, you need to create the following certificates:

• Axidian CertiFlow Agent CA – a root certificate required to issue certificates to user workstations where Agents are deployed.
• Axidian CertiFlow Agent SSL – an authentication certificate signed by root certificate and required to establish a two-way secure connection between the server and a workstation where Agent is deployed. 
• Workstation certificate – a certificate, which is issued automatically when a client agent is registered. To be able to assign tasks to a workstation, the CertiFlow server verifies the authenticity of a workstation certificate and adds the workstation to the trusted list.

To create agent certificates, run IndeedCM.Agent.Cert.Generator.exe on the Axidian CertiFlow server and set the following parameters:

Generating root and SSL certificates

/root – generates an agent root certificate. 
/rootKeySize (optional) – sets a private key length for the root certificate. 4096 bits by default, 512 to 8192 bits is possible.
/sn <DNS-server name> – generates an SSL certificate for the specified DNS server name.
/csn – generates an SSL certificate for the server where the utility is running.
/sslKeySize (optional) – sets a private key length for SSL certificate. 2048 bits by default, 512 to 4096 bits is possible.
/pwd (optional) – sets a password for SSL certificate.
/installToStore (optional) – publishes issued certificates to the server's certificate storages:

• Agent CA certificate is published to Trusted Root Certification Authorities.
• Agent SSL certificate is published to the Personal certificates storage of the workstation where Axidian CertiFlow server is deployed.

Generating SSL certificate with an existing Agent CA root certificate

/rootKey – sets the path to the root certificate file.
/ssl – generates an SSL certificate. 
/sn <DNS-server name> – generates an SSL certificate for the specified DNS server name.
/csn – generates an SSL certificate for the server where the utility is running.
/pwd (optional) – sets a password for SSL certificate.
/sslKeySize (optional) – sets a private key length for SSL certificate. 2048 bits by default, 512 to 4096 bits is possible.
/installToStore (optional) – publishes issued SSL certificates to the Personal certificates storage of the workstation where Axidian CertiFlow server is deployed.

Cm.Agent.Cert.Generator.exe /root /csn /installToStore

The following files show up in the utility directory:

• agent_root_ca.json – root certificate with private key in JSON format.
• agent_root_ca.cer – agent root certificate.
• agent_root_ca.key – private key of agent root certificate.
• agent_ssl_cert.cer – agent SSL-certificate.
• agent_ssl_cert.key – private key of agent SSL-certificate.
• agent_ssl_cert.pfx – SSL-certificate with private key in PFX format. 

If you have multiple Axidian CertiFlow server with Agents, use the same root certificate for all servers and separate SSL certificates for each server.

To create an SSL certificate for another server:

1. Copy the IndeedCM.Agent.Cert.Generator.exe folder and agent_root_ca.json file and move it to required server.
2. Run the following command:

Cm.Agent.Cert.Generator.exe /rootKey <path to agent_root_ca.json file> /ssl /sn <DNS-server name IndeedCM> /installToStore

Configuring secure connection to the agent services site

1. Open the IIS Manager, select IndeedCM Agent Site and go to Bindings.
2. Select binding to 3003 port and click Edit.
3. Define Axidian CertiFlow Agent SSL as SSL certificate and click OK.