BigFix - Add SSL Certificates to your Web Interfaces
If you're managing BigFix WebUI, Web Reports, Inventory, Compliance, or Remote Control, you've probably encountered that frustrating "Your connection is not private" warning. This happens because the web interfaces use self-signed certificates by default.
To fix this and secure your environment, you need to install a trusted SSL certificate from your internal CA or a public certificate authority.
Steps to Secure Your BigFix Web Interfaces:
If you're struggling with SSL setup or need guidance, let’s connect! Have you implemented SSL in your BigFix environment yet? Share your thoughts in the comments!
?
?
?
Installing a Certificate Authority on Windows
On the Server you want to install the CA go to Server Manager and Select Manage- Add Roles and Features
Select Next
Select Role-based and select Next
?
Select your Server and Hit Next
Select Active Directory Certificate Services
Select Add Features
Select Next
?
Allow the CA To install and once complete hit the configure Button
?
Add the service Account for the Certificate Authority
?
Select Certificate Authority and Select Next
?
Select Enterprise CA
?
Select Root CA
?
Select Create a New Private Key
?
Select the Cryptography you want to use
?
Give the CA Name and select Next
Select the Validity Period
Select Next
?
Hit Configure
?
Once the Configuration is Done Select Close
Create a Certificate Template
?In the Start Menu their will be an Icon for Certification Authority
Right Click on Certificate Template and Select Manage
Right Click on the Web Server Template and Select Duplicate Template
?
Give the Template a Name and Validity Period
?
?
Select the Request Handling Tab and Check Allow the Private Key to be Exported and select OK
?
?
To Create a certificate for Webui
To Create a Cert for Webui
?
Open MMC
?
Select Add/Remove Snap-In
?
Select Certificates and Add
?
Select Computer Account and Select Next
?
Select Finish
?
Select OK
?
Select All Task – Request New Certificate
?
Select Next
?
Select Next
Select More Information
?
Add the CN for the fully qualified name of the server
Add Alternative any name for the server would be resolved and any IP Address
?
Select the BigFix Web Servers and Select Enroll
?
Select Finish
Select the Certificate that was just Generated and right click all task – Export
?
Select Next
?
Select Yes Export the Private Key
Select PKCS and select Next
?
Set the Password to the Cert and select Next
?
Save the Cert to a path and hit Next
?
Select Finish to Save the Cert
?
Download Open SSL and Install Open SSL to convert the certs to pem files from https://slproweb.com/products/Win32OpenSSL.html
?
?
Open the Open SSL command Prompt
?
Run the command to Extract the Private Key (Without Password)
OpenSSL pkcs12 -in bigfixserver.pfx -nocerts -nodes -out bigfixserver.pem
?
Run the Command to Extract the Certificate
OpenSSL pkcs12 -in bigfixserver.pfx -clcerts -nokeys -out bigfixservercert.pem
?
Run the command to Extract CA Certificates
openssl pkcs12 -in bigfixserver.pfx -cacerts -nokeys -out ca.pem
?
?
?
?
Open the CA.PEM file in notepad and copy the contents of the file
?
Open the cert file bigfixservercert.pem and paste the contents of the ca.pem to the end of the file
?
Rename the Private Key File from bigfixserver.pem to SSL.pvk
Rename the Cert from bigfixservercert.pem to ssl.crt
Move the files to your WebUI server directory
?
?
Open your BigFix Console as a Master Operator and Right Click on your BigFix Webui Server and Right Click Edit Computer Settings
Select Add to Add the following client settings
?
Add the client setting _WebUIAppEnvWEB_CERT_FILE with the value pointing to the location of the ssl.crt file on your BigFix WebUI Server and Select OK
C:\Program Files (x86)\BigFix Enterprise\BES WebUI\ssl.crt
?
?
Add the client setting _WebUIAppEnvWEB_KEY_FILE with the value pointing to the location of the ssl.pvk file on your BigFix WebUI Server and Select OK
C:\Program Files (x86)\BigFix Enterprise\BES WebUI\ssl.pvk
?
Select OK and allow for the client settings to be added to your Webui Server
?
Once the Settings have been Applied Restart your Webui service on your Webui Server
?
Create and Install an SSL Certificate for Web Reports
?
If necessary, Repeat the steps to create a new Certificate from your CA for your Web Reports Server if your web reports are on a separate host.
?
Extract the Private Key (Without Password)
openssl pkcs12 -in webreports.pfx -nocerts -nodes -out webreportsprivatekey.pem
?
?
Extract the Certificate
openssl pkcs12 -in webreports.pfx -clcerts -nokeys -out webreportscert.pem
?
?
Extract the CA
openssl pkcs12 -in webreports.pfx -cacerts -nokeys -out ca.pem
?
Open the contents of the CA.pem in notepad and copy the contents of the file
?
Open webreportscert.pem and paste the contents of the ca.pem at the end of the file
Save the Changes to the webreportscert.pem
Copy the Cert File and Private Key file to C:\Program Files (x86)\BigFix Enterprise\BES Server\BESReportsData
?
?
In your BigFix Console Logon as a Master Operator and Right Click on your BigFix Web Reports Server and Select Edit Computer Settings
?
?
Verify the Setting WebReportsHTTPServer_UseSSLFlag is set to 1 and if it is not set change the value to 1
?
?
Edit the Client Setting WebReportsHTTPServer_SSLCertificateFilePath to the location of the new cert C:\Program Files (x86)\BigFix Enterprise\BES Server\BESReportsData\webreportscert.pem
?
Next we want to add WebReportsHTTPServer_SSLPrivateKeyFilePath
?
Add the Setting WebReportsHTTPServer_SSLPrivateKeyFilePath with the value pointing to location of your Private Key
C:\Program Files (x86)\BigFix Enterprise\BES Server\BESReportsData\webreportsprivatekey.pem
?
Select the OK button to add the client settings
?
Once the action is complete restart the web reports server service
?
?
Setup and Configure SSL Cert for BigFix Inventory
If necessary, Repeat the steps to create a new Certificate from your CA for your Inventory Server
In BigFix Inventory go to Management – Server Settings
?
Select the Replace button
?
Select the Cert File and enter the password and save the changes
?
Restart the Inventory Service
Setup you Compliance Server with an SSL Certificate?
If necessary, Repeat the steps to create a new Certificate from your CA for your Compliance
?
Extract the Private Key (Without Password)
openssl pkcs12 -in compliance.pfx -nocerts -nodes -out complianceprivatekey.pem
?
Extract the Certificate
openssl pkcs12 -in complaince.pfx -clcerts -nokeys -out compliancecert.pem
?
Extract the CA
openssl pkcs12 -in compliance.pfx -cacerts -nokeys -out ca.pem
?
Open the contents of the CA.pem in notepad and copy the contents of the file
?
Open compliancecert.pem and paste the contents of the ca.pem at the end of the file
?
Open the Compliance Server Web Interface
Select the Gears Icon – Server Settings
?
Select replace
?
Select compliancecert.pem for the Certificate
Select complianceprivatekey.pem for the Private Key
Save the Changes
?Confirm the Changes
Restart the Compliance Service
?
IT Systems Engineer at True Anomaly (aka Jira Jesus)
2 周Couldn't find these steps on the support site thanks!!
Governance, Risk & Compliance Specialist | Expertise in PCI DSS & ISO 27001 | Driving Risk Mitigation Strategies | Cybersecurity | NIST | Software Engineer
2 周Insightful