Agent third-party deployment: HTTPS CA Certificate File Format (UNIX)

FlexNet Manager Suite 2021 R1 (On-Premises)

By default, if the FlexNet inventory agent is (or in more detail, its component agents are) configured to use the HTTPS protocol to communicate with an inventory beacon, the certificate(s) for the HTTPS server are checked. This ensures that the agents are communicating with the correct inventory beacon server. Since the server certificate is authorized (signed) by a Certificate Authority, the process may include checking whether that Certificate Authority is trusted (that is, it may be an intermediate Certificate Authority that is itself trusted because it is authorized by a 'higher' Certificate Authority). The checking process continues until it reaches the root Certificate Authority (CA), one which the client device can recognize as trusted. This trust occurs when a CA certificate is 'known' to the client device.

Therefore certificate checking requires that a copy of the certificate for the root CA has been installed on the managed device. When a certificate being validated matches the locally-stored certificate for the root CA, trust is confirmed.
Tip: Since an authorizing Certificate Authority may also revoke a previously-authorized server certificate that has somehow been compromised, by default the certificates are also checked for currency: that is, a check is made that each certificate in the chain (up to but excluding the root CA) has not been revoked. For the preference settings controlling revocation behaviors, see Agent third-party deployment: Enabling the HTTPS Protocol on UNIX Agents.

On Windows devices, the operating system handles all root CA certificates (and there may be many), and on Windows the FlexNet inventory agent uses those operating system services.

For UNIX-like platforms, the FlexNet inventory agent supports two ways of storing root CA certificates:
  • Individual root CA certificates (in the PEM format discussed here) can be saved in the directory identified in the preference SSLCACertificatePath (default value /var/opt/managesoft/etc/ssl/certs — see SSLCACertificatePath). In this case, the files must be named with the CA subject name hash value (such as 9d66eef0), with any duplicates differentiated by numeric file extensions (such as 9d66eef0.0, 9d66eef0.1, and so on).
  • All the root CA certificates that are used by the HTTPS web servers supplying content to the managed device or receiving content from the managed device can be concatenated into a single file. (For many organizations, this will be a single certificate for a single root Certification Authority. It may even be a CA that is internal to the enterprise.) Each root CA certificate is added to the file named and saved as identified in the SSLCACertificateFile preference (default /var/opt/managesoft/etc/ssl/cert.pem), a simple naming convention. If you have multiple root CA certificates, simple shell commands allow the concatenation:
     #!/bin/sh
 rm cert.pem
 for i in ca1.pem ca2.pem ca3.pem ; do
   openssl x509 -in $i -text >> cert.pem
 done
    Tip: Before, between, and after the certificates in the concatenated file (that is, everywhere except between BEGIN and END tags), free text is allowed that can be used, for example, for descriptions of the certificates.
This concatenated certificate file should be saved using the PEM format. Each PEM-format certificate should be base-64 encoded plain text surrounded by a BEGIN CERTIFICATE header and an END CERTIFICATE footer. That is:
-----BEGIN CERTIFICATE----- 
MIIDiTCCAnGgAwIBAgIQWO/IibrLpZ5Hts3u3xH7TzANBgkqhkiG9w0BAQUFADAR 
MQ8wDQYDVQQDEwZ0ZncyazMwHhcNMTAxMTI1MDEyMDM4WhcNMTUxMTI1MDEyODA1 

...... 

wXvMSERKsNsJ6FwwXFGA3HBrRLTHzqzsfUlUAbV+SBm/FSFkuWsy4QWAuJCbnCnv 
c3ClFHXqwaIq9UWvO5FR5kD4gK9LZOUY4B7tLTQmpJScFSiPZrIBa1cQ5uWl 
-----END CERTIFICATE-----

To deploy the resulting certificate during deployment of FlexNet inventory agent to managed devices, see Agent third-party deployment: Installing FlexNet inventory agent on UNIX.

Both storage methods may be used at once. The FlexNet inventory agent first checks the single concatenated file (where available), and then checks the folder of individual certificates. The checking stops at the first certificate that the managed device recognizes (that is, the first that matches the public certificate for the certificate authority that has been stored locally on the managed device).

FlexNet Manager Suite (On-Premises)

2021 R1