Desktop Central 9

-

Desktop and Mobile Device Management software

Using Third-Party SSL Certificate for Secured Communication

Description

Desktop Central allows you to use third-party SSL certificates for enabling secured communication between Desktop Central and Agent.

Important:
  1. You should have enabled HTTPS communication in Desktop Central from Admin --> Server Settings prior to importing 3rd party SSL certificate.
  2. Applicable for Desktop Central Build Numbers #70115 and above.

The steps below will guide you in using third-party certificates, follow the steps based on
the Desktop Central build:

Steps for Build #80344 and Above

  1. Create CSR and Key Files
  2. Submit the CSR to a Certificate Authority (CA) to Obtain a CA Signed Certificate
  3. Update SSL Certificate in Desktop Central Server
    or
  4. Convert and Import Third-Party PFX Certificates

Create CSR and Key Files

To create CSR and Key files, follow the steps mentioned below:

  1. Open a command prompt and change directory to <Desktop_Central_Home>/apache/bin
  2. Execute the following command:
    openssl req -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -config ..\conf\openssl.cnf
  3. Once prompted, enter the information required to generate a CSR. A sample key generation section is as follows:

Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.....++++++
......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:tamilnadu
Locality Name (eg, city) []:chennai
Organization Name (eg, company) [Internet Widgits Pvt Ltd]:manageengine
Organizational Unit Name (eg, section) []:desktopcentral
Common Name (eg, YOUR name) []:symphony.yourdomain.com. [This should be the same as you use to connect to the client. For example, if you use FQDN (https://symphony.yourdomain.com) to access this computer via browser, you should specify it the same way here as symphony.yourdomain.com.]
Email Address []:[Leave as empty]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Leave as empty]
An optional company name []:[Leave as empty]

This operation creates a Key file named server.key and CSR file named as server.csr in the current working directory (<Desktop_Central_Home>/apache/bin).

Submit the CSR to a Certificate Authority (CA) to obtain a CA signed certificate

  • Submit created server.csr to CAs. Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
  • This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's chain/intermediate certificate as .cer files
  • Save these files and rename your signed SSL certificate file to server.crt

Update SSL Certificate in Desktop Central Server

  1. Stop the Desktop Central Server and take a backup of the existing server.key and server.crt file located in <Desktop_Central_Home>/apache/conf directory.
  2. Now, copy the newly created server.key, server.crt, root and chain/intermediate certificate files to the <Desktop_Central_Home>/apache/conf directory.
  3. Change the file extensions of the root and chain/intermediate certificate files to .crt
  4. You should add the chain/intermediate certificate details in Desktop Central. You can skip this step, if your CA has not provided any chain/intermediate files:
    1. Open <Desktop_Central_Home>/conf/websettings.conf, add the root and intermediate certificate file names to the following entries:
      • apache.ssl.root.ca.file=root.crt  (root.crt refers to the root certificate provided by your CA)
      • apache.ssl.intermediate.ca.file=intermediate.crt (intermediate.crt refers to the intermediate certificate provided by your CA)
    2. Start Desktop Central Server

Convert and Import Third-Party PFX Certificates

Follow the steps mentioned below to convert and install Third-Party PFX certificates in Desktop Central:

  1. Go to <DesktopCentral_Server>/apache/conf folder and back up server.crt and server.key. It is recommended to store these files safely.
  2. Copy PFX file that you wanted to convert and paste it in the location : <DesktopCentral_Server>/apache/bin folder
  3. Open a command prompt and change directory to <Desktop_Central_Home>/apache/bin
  4. Execute the following command:
    1. openssl pkcs12 -in <PFX file Name with extension(pfx)> -clcerts -nokeys -out server.crt
      Example: openssl pkcs12 -in test.pfx -clcerts -nokeys -out server.crt
    2. Enter PFX password, when prompted
    3. openssl pkcs12 -in <PFX file Name with extension(pfx)> -nocerts -nodes -out server_encrypted.key
      Example: openssl pkcs12 -in test.pfx -nocerts -nodes -out server_encrypted.key
    4. Enter PFX password, when prompted
    5. Execute the command: openssl rsa -in server_encrypted.key -out server.key
  5. Copy the newly created server.crt and server.key which is available under <DesktopCentral_Server>/apache/bin to <DesktopCentral_Server>/apache/conf
  6. Restart Desktop Central Server.

You have successfully converted and installed the Third-Party PFX certificate in Desktop Central. If the Desktop Central server does not start, restore the previous server.crt and server.key that you have backed up. You can start the Desktop Central Service now. Contact Desktop Central support with the PFX file and the password.

Steps for Build Below #80344

Create CSR and Key Files

To create CSR and Key files, follow the steps mentioned below:

  1. Open a command prompt and change directory to <Desktop_Central_Home>/apache/bin
  2. Execute the following command:
    openssl req -new -newkey rsa:2048 -nodes -out server.csr -keyout server.key -config ..\conf\openssl.cnf
  3. Once prompted, enter the information required to generate a CSR. A sample key generation section is as follows:

Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.....++++++
......++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:tamilnadu
Locality Name (eg, city) []:chennai
Organization Name (eg, company) [Internet Widgits Pvt Ltd]:manageengine
Organizational Unit Name (eg, section) []:desktopcentral
Common Name (eg, YOUR name) []:symphony.yourdomain.com. [This should be the same as you use to connect to the client. For example, if you use FQDN (https://symphony.yourdomain.com) to access this computer via browser, you should specify it the same way here as symphony.yourdomain.com.]
Email Address []:[Leave as empty]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:[Leave as empty]
An optional company name []:[Leave as empty]

This operation creates a Key file named server.key and CSR file named as server.csr in the current working directory (<Desktop_Central_Home>/apache/bin).

Submit the CSR to a Certificate Authority (CA) to obtain a CA signed certificate

  • Submit created server.csr to CAs. Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
  • This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's chain/intermediate certificate as .cer files
  • Save these files and rename your signed SSL certificate file to server.crt

Update SSL Certificate in Desktop Central Server

  1. Stop the Desktop Central Server and take a backup of the existing server.key and server.crt file located in <Desktop_Central_Home>/apache/conf directory.
  2. Now, copy the newly created server.key, server.crt and chain/intermediate certificate files to the <Desktop_Central_Home>/apache/conf directory.
  3. Change the file extensions of the chain/intermediate certificate files to .crt
  4. You should add the chain/intermediate certificate details in Desktop Central. You can skip this step, if your CA has not provided any chain/intermediate files:
    1. Open <Desktop_Central_Home>/apache/conf/httpd-ssl.conf.template and add this line:

      SSLCACertificateFile "%SERVER_HOME%/apache/conf/intermediateCA.crt" [ Here intermediateCA.crt is your chain/intermediate certificate name]

    2. Open <Desktop_Central_Home>/apache/conf/httpd-ssl.conf and add this line:

      SSLCACertificateFile "C:/Program Files/DesktopCentral_Server/apache/conf/intermediateCA.crt [ Here intermediateCA.crt is your chain/intermediate certificate name. Make sure you specify the absolute path to your chain/intermediate certificate file

    3. Start Desktop Central Server

Convert and Import Third-Party PFX Certificates

Follow the steps mentioned below to convert and install Third-Party PFX certificates in Desktop Central:

  1. Go to <DesktopCentral_Server>/apache/conf folder and back up server.crt and server.key. It is recommended to store these files safely.
  2. Copy PFX file that you wanted to convert and paste it in the location : <DesktopCentral_Server>/apache/bin folder
  3. Open a command prompt and change directory to <Desktop_Central_Home>/apache/bin
  4. Execute the following command:
    1. openssl pkcs12 -in <PFX file Name with extension(pfx)> -clcerts -nokeys -out server.crt
      Example: openssl pkcs12 -in test.pfx -clcerts -nokeys -out server.crt
    2. Enter PFX password, when prompted
    3. openssl pkcs12 -in <PFX file Name with extension(pfx)> -nocerts -nodes -out server_encrypted.key
      Example: openssl pkcs12 -in test.pfx -nocerts -nodes -out server_encrypted.key
    4. Enter PFX password, when prompted
    5. Execute the command: openssl rsa -in server_encrypted.key -out server.key
  5. Copy the newly created server.crt and server.key which is available under <DesktopCentral_Server>/apache/bin to <DesktopCentral_Server>/apache/conf
  6. Restart Desktop Central Server.

You have successfully converted and installed the Third-Party PFX certificate in Desktop Central. If the Desktop Central server does not start, restore the previous server.crt and server.key that you have backed up. You can start the Desktop Central Service now. Contact Desktop Central support with the PFX file and the password.