# Securing Communication using 3rd Party Certificates

Every enterprise has the necessity to encrypt the data which traverses the internet. Enterprises have gone a step ahead over just using secured methods of communication to transmit corporate data, by acquiring specific third party certificates like SSL. These third party certificates ensures that the corporate data is encrypted in such a way, that only the recipient who owns the certificate can decrypt it. Endpoint Central Server supports using SSL certificates that comes in different file types such as PFX, CER, CRT. Adding these certificates will secure the communication between the Endpoint Central server, managed computers and mobile devices.

> This certificate is valid for a specified term. If the certificate expires, then the communication between the agent and the server will no longer be secure. **You will not be able to manage any mobile devices, till you renew the certificates and upload it in the Endpoint Central server.**

**Note**: The ongoing communication between the agents and the server won't be interfered with when you upload a third-party SSL certificate. Trusted third-party certificate providers have preinstalled root certificates on operating systems. These root certificates will be used by the agent machine to establish secure connection with the server once you import the third-party certificate. As a result, the existing communication will continue uninterrupted and be secured further using the third-party certificate.

Follow the steps mentioned below to create/renew and upload 3rd Party Certificates:

1. [Create CSR and Key Files](#1-create-csr-and-key-files)  
2. [Submit the CSR to a Certificate Authority (CA) to Obtain a CA Signed Certificate](#2-submit-the-csr-to-a-certificate-authority-ca-to-obtain-a-ca-signed-certificate)  
3. [Upload the 3rd party Certificates to Central Server](#3-upload-the-3rd-party-certificates-to-central-server)  

## 1. Create CSR and Key Files

For Endpoint Central Server version **11.1.2242.01** and above,

1. It is recommended to take a backup of your existing `server.key` and `server.csr` files before initiating this process. These files will be overwritten during this process.  
   - Navigate to `<Server_Installed_Directory>/nginx/conf` for `server.key` file.  
   - Navigate to `<Server_Installed_Directory>/bin` for `server.csr` file (if any generated before).
2. Navigate to `<Server_Installed_Directory>/bin` in command prompt with admin privileges and execute `generateCSR.bat` file.
3. `generateCSR.bat` executes two operations:  
   - Creating the `.csr` and `.key` files  
   - Decrypting `.key` files  
4. Enter `1` to proceed with `.csr` and `.key` file generation.
5. Enter the country code by referring to this document:  
   https://www.digicert.com/kb/ssl-certificate-country-codes.htm  
   (Re-run the batch file if you entered the wrong country code.)
6. Enter the necessary details for generating the `.csr` file:  
   State, locality, organization, organizational unit, common name, subject alternative names (separated by commas).
7. You have successfully generated the `server.csr` and `server.key` file under `<Server_Installed_Directory>/bin`.

For Endpoint Central Server version **below 11.1.2242.01**,

1. Navigate to server installation directory and access `\bin`.
2. Run the command `generateCSR.bat` using administrator command prompt.
3. In the displayed prompts, enter the two letter Country Code next to **countryName**. Check the two letter country code of your country here:  
   https://www.digicert.com/kb/ssl-certificate-country-codes.htm
4. Next to **localityName**, enter the name of your locality. Specify the name of your organization next to **organizationName**.
5. Enter the name of your website or domain beside **commonName**. The FQDN of the web server (the host name) that is going to receive the certificate is the **Common Name**. Do not include:  
   - protocol (`http://` or `https://`)  
   - port numbers or pathnames  
6. Enter the Subject Alternative Name (SAN) of your website. Press Enter by leaving a space to end the command execution.

   Example:

   ```
   *.domain.com
   manageengine.com
   ems.com
   desktopcentral.com
   ```

7. Files named `server.csr` and `private.key` are created and placed under `server installation directory\bin`.
8. Navigate to server installation directory and access `\apache\bin`. Create a file named `opensslsan.conf`, and copy the following code into the file:

   ```
   [ req ]
   prompt=no
   default_bits = 2048
   distinguished_name = req_distinguished_name
   req_extensions = req_ext
   [ req_distinguished_name ]
   countryName =
   stateOrProvinceName =
   localityName =
   organizationName =
   commonName =
   [ req_ext ]
   subjectAltName = @alt_names
   [alt_names]
   DNS.1 =
   DNS.2 =
   DNS.3 =
   ```

9. Enter the two letter Country Code next to **countryName**. Country codes:  
   https://www.digicert.com/kb/ssl-certificate-country-codes.htm
10. Enter the full name of your state or province next to **stateOrProvinceName**.
11. Enter the name of your locality next to **localityName** and your organization next to **organizationName**.
12. Enter the FQDN beside **commonName** (do not include protocol, port numbers, or pathnames).
13. Enter the **Subject Alternative Name (SAN)** next to **DNS.1**, **DNS.2**, etc. You can add more SAN entries as **DNS.4**, **DNS.5**, and so on.

   Example:

   ```
   [ req ]
   prompt=no
   default_bits = 2048
   distinguished_name = req_distinguished_name
   req_extensions = req_ext
   [ req_distinguished_name ]
   countryName = IN
   stateOrProvinceName = TN
   localityName = Chennai
   organizationName = Zylker
   commonName = www.zylker.com
   [ req_ext ]
   subjectAltName = @alt_names
   [alt_names]
   DNS.1 = *.zylker-tech.com
   DNS.2 = zylker-it.com
   DNS.3 = zylkerteam.com
   ```

14. Save the file. In command prompt, navigate to `server installation directory\apache\bin`.
15. Execute:

   ```
   openssl.exe req -out server.csr -newkey rsa:2048 -nodes -keyout private.key -config opensslsan.conf
   ```

16. Files named `server.csr` and `private.key` are created under `<Server_Installed_Directory>/bin` and `\apache\bin` directory.
17. To verify the details, use:

   ```
   openssl.exe req -in server.csr -noout -text -config ..\conf\openssl.cnf
   ```

**Note:** Do not delete `private.key` file under any circumstances.

## 2. Submit the CSR to a Certificate Authority (CA) to Obtain a CA Signed Certificate

1. Submit the created `server.csr` to a CA. Check their documentation or website for details on submitting CSRs. This process involves a cost.
2. The process usually takes a few days. You will receive your signed SSL certificate and the CA's chain/intermediate certificate as `.cer` files.
3. Save these files and rename your signed SSL certificate file to `server.crt`.

**Note:**

- The validity of the certificate should be less than 397 days.
- Only RSA keys are supported in Endpoint Central server.

## 3. Upload the 3rd party Certificates to Central Server

1. Click **Admin** tab on the product console.
2. Under **Security Settings**, click **Manage SSL Certificates**.
3. Browse to upload the certificate received from the vendor (CA).  
   - The certificate will be in `.crt` format for SSL.  
   - The certificate will be in `.pfx` format for PFX certificates.

   1. If you upload a `.crt` file, you will be prompted to upload the `server.key` file. After uploading the `private.key`, you will be prompted to upload the intermediate certificate.  
      - If you choose **Automatic**, the intermediate certificate will be detected automatically. Only one certificate will be detected automatically.  
      - To use your own intermediate certificate or upload more than one intermediate certificate, choose **Manual** and upload them manually.
   2. If you upload a `.pfx` file, you will be prompted to enter the password provided by the vendor.

4. Click **Save** to import the certificate.

**Note:** You need to restart the Endpoint Central server service after importing the certificate for the web server to load the newly imported certificate.

You have successfully imported the third party certificates to the Endpoint Central server. These certificates will be used only when **HTTPS** mode is enabled for communication. Click **Admin** tab and choose **Server Settings** to enable **HTTPS** mode under **General Settings**. The communication between the server and the agents is now secure.

> Ensure that the `.pfx` file or `.cert` file matches the NAT address specified in the Endpoint Central server. If Endpoint Central Server and ServiceDesk Plus server are installed on the same computer, the same `.pfx` file will work. If ServiceDesk Plus server is moved to a different computer, the `.pfx` file needs to be modified to specify the appropriate host name.