×
×
×
×

Secure OS Deployer Communication with Third-Party SSL Certificates

Last Updated On 02 Dec 2025 |
12 minutes read |

Every enterprise has the necessity to encrypt the data which traverses the internet. Enterprises have gone a step ahead over just using secured methods of communication to transmit corporate data, by acquiring specific third party certificates like SSL. These third party certificates ensure that the corporate data is encrypted in such a way, that only the recipient who owns the certificate can decrypt it. OS Deployer Server supports using SSL certificates that come in different file types such as PFX, CER, CRT. Adding these certificates will secure the communication between the OS Deployer server, managed computers and mobile devices.

Note
This certificate is valid for a specified term. If the certificate expires, then the communication between the agent and the server will no longer be secure. You will not be able to manage any mobile devices, till you renew the certificates and upload it in the OS Deployer server.
Note
The ongoing communication between the agents and the server won't be interfered with when you upload a third-party SSL certificate. Trusted third-party certificate providers have preinstalled root certificates on operating systems. These root certificates will be used by the agent machine to establish secure connection with the server once you import the third-party certificate. As a result, the existing communication will continue uninterrupted and be secured further using the third-party certificate.

1. Create CSR and Key Files

For OS Deployer version 11.1.2242.01 and above, 

  1. It is recommended to take a backup of your existing server.key and server.csr files before initiating this process. These files will be overwritten during this process.
    • Navigate to <Server_Installed_Directory>/nginx/conf for server.key file.
    • Navigate to <Server_Installed_Directory>/bin for server.csr file (if any generated before).
  2. Navigate to <Server_Installed_Directory>/bin in Command Prompt with admin privileges and execute the following command:
    generateCSR.bat
    generateCSR.bat
  3. generateCSR.bat executes two operations:
    • Creating the .csr and .key files
    • Decrypting .key files
  4. Enter 1 to proceed with .csr and .key file generation.
  5. Enter the country code by referring to this document. [Note: Re-run the batch file if you entered the wrong country code]
  6. Enter the necessary details for generating the .csr file: State, locality, organization, organizational unit, common name, subject alternative names (separated by commas).
  7. You have successfully generated the server.csr and server.key files under <Server_Installed_Directory>/bin.

For OS Deployer version below 11.1.2242.01

  1. Navigate to the server installation directory and access \apache\bin, create a file named opensslsan.conf, and copy the following code into the file:
opensslsan.conf template
[ req ]
prompt=no
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName =
stateOrProvinceName =
localityName =
organizationName =
commonName =

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 =
DNS.2 =
DNS.3 =
  1. In the above code, enter the two-letter Country Code next to countryName. Check the two-letter country code of your country here.
  2. Enter the full name of your state or province next to stateOrProvinceName.
  3. Enter the name of your locality next to localityName.
  4. Specify the name of your organization next to organizationName.
  5. Enter the name of your website or domain beside commonName. The FQDN of the web server (the host name) that is going to receive the certificate is the Common Name. Do not include:
    -> protocol (http:// or https://)
    -> port numbers or pathnames
  6. Enter the Subject Alternative Name (SAN) of your website next to DNS.1, DNS.2, etc. You can have many SANs for a single certificate. You can add more SANs by adding DNS.4, DNS.5, and so on.
  7. Save the file, open Command Prompt, and navigate to the server installation directory and access \apache\bin.
  8. Execute the following command:
    OpenSSL CSR command
    openssl.exe req -out server.csr -newkey rsa:2048 -nodes -keyout private.key -config opensslsan.conf
  9. Files named server.csr and private.key are created under <Server_Installed_Directory>/bin and \apache\bin.
  10. To verify the details, use:
    OpenSSL verify command
    openssl.exe req -in server.csr -noout -text -config ..\conf\openssl.cnf

Example for completed config:

Completed opensslsan.conf example
[ req ]
prompt=no
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = TN
localityName = Chennai
organizationName = Zylker
commonName = www.zylker.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.zylker-tech.com
DNS.2 = zylker-it.com
DNS.3 = zylkerteam.com

Note: Do not delete the private.key file under any circumstances.

2. Submit the CSR to a Certificate Authority (CA) to Obtain a CA Signed Certificate

  1. Submit the created server.csr to a Certificate Authority (CA). Check their documentation/website for details on submitting CSRs; this will involve a cost to be paid to the CA.
  2. This process usually takes a few days. You will be returned your signed SSL certificate and the CA's chain/intermediate certificate as .cer files.
  3. Save these files and rename your signed SSL certificate file to server.crt.

Note:

  • The validity of the certificate should be less than 397 days.
  • Only RSA keys are supported in the OS Deployer.

3. Upload the 3rd Party Certificates to OS Deployer

  1. Click the Admin tab on the product console.
  2. Under Security Settings, click Manage SSL Certificates.
  3. Browse to upload the certificate that you have received from the vendor (CA).
    • The certificate will be in .crt format for SSL or in .pfx format for PFX certificates.
    • If you upload a .crt file:
      • You will be prompted to upload the server.key (private key) file.
      • After uploading the private.key, you will be prompted to upload the intermediate certificate.
      • If you choose Automatic, the intermediate certificate will be detected automatically (only one certificate will be detected).
      • If you want to use your own intermediate certificate or upload more than one intermediate certificate, choose Manual and upload them manually.
    • If you upload a .pfx file:
      • You will be prompted to enter the password provided by the vendor.
  4. Click Save to import the certificate.
Note
You need to restart the OS Deployer server service after importing the certificate for the web server to load the newly imported certificate.

You have successfully imported the third party certificates to the OS Deployer server. These certificates will be used only when HTTPS mode is enabled for communication. Click the Admin tab and choose Server Settings, then enable HTTPS mode under General Settings. You can now see that the communication between the server and the agents is secure.

Note
Ensure that the .pfx file or .cert file matches the NAT address specified in the OS Deployer server. If OS Deployer and ServiceDesk Plus server are installed on the same computer, then the same .pfx file will work. If ServiceDesk Plus server is later moved to a different computer, then the .pfx needs to be modified to specify the appropriate host name.
Was this document helpful?
Yes
No