View Source

Agent requires the following certificates to operate properly:

Indeed CM Agent CA, which is the root Indeed CM Agent certificate. This is used to issue certificates for user workstations where Agent instances are to be installed to.
Indeed CM Agent SSL is the authentication certificate, signed by the root certificate. This is required to establish a bi-directional secure connection between the server and workstation with Agent installed. The certificate is issued for the workstation with Indeed CM server installed.
Workstation certificate is issued automatically upon Agent registration. A client computer provides its certificate to server by sending a request, and the Indeed CM server checks for the certificate authenticity. If correct, the server marks the Agent at the workstation as trusted one and becomes ready to send tasks to it.

Agent certificates are created with IndeedCM.Agent.Cert.Generator.exe utility from the Indeed CM installation package.

Run the IndeedCM.Agent.Cert.Generator.exe utility in command line as administrator on the Indeed CM server, using the following parameters: /root /csn /installToStore. Wait for the utility to finish operation.

The /csn parameter initiates the certificate issue procedure for DNS name of the workstation the utility is run at. To generate certificates for another workstation, run the utility with /sn <DNS name of workstation> parameter.

The /installToStore publishes the certificates issued by the utility to the server certificate storage:

The Indeed CM Agent CA certificate is placed to Trusted Root Certification Authorities.
The Indeed CM Agent SSL certificate is placed to personal certificate storage of the workstation with Indeed CM server installed.

2. The Indeed CM Agent CA.key file shall appear in the utility folder. The file contains the Indeed CM Agent CA certificate image and certificate key value.
3. Place the Indeed CM Agent CA certificate to Trusted Root Certification Authorities at all user workstations.

The Active Directory group policy mechanism can be used to distribute the certificate to user workstations.

4. Set up a secure connection to Agent site. To do this:

- Switch to IIS Manager.
- Select IndeedCM Agent Site, then switch to Bindings section.
- Select the binding to 3003 port and click Edit...

Port 3003 is set by default. If you use another port, then you’d have to create and configure a new binding for it. Make sure that the port is open for incoming connections in firewall.

- Define Indeed CM Agent SSL as SSL certificate and click OK.

5. Example of setting a binding for IndeedCM Agent Site.

Indeed Certificate Manager 6.6.0 Documentation > Creating agent certificates > setupsecureconnection.png

6. If your environment has more than one Indeed CM server with Agents, then a separate Agent SSL certificate is required for each server. The root certificate is one and the same for all the servers. To create a SSL certificate for additional server, copy the folder with IndeedCM.Agent.Cert.Generator.exe utility and Indeed CM Agent CA.key root certificate key file, then execute the following command:

IndeedCM.Agent.Cert.Generator.exe /ssl /csn /rootKey <path to folder containing root certificate key> /installToStore

IndeedCM.Agent.Cert.Generator.exe /ssl /csn /rootKey "C:\AgentCertGenerator\Indeed CM Agent CA.key" /installToStore