Our customers have asked us for some time to provide a way to supply a way to use a trusted certificate generated by a CA (Certificate Authority), this is primarily to provide help in activities such as PCI Compliance scans. This will also avoid situations where the browser indicates that the website is not trusted when attempting to browse the Management Gateway / Cloud Services Appliance’s web page.
While there are significant benefits to supplying this patch there are a number of serious possible pitfalls, this patch also requires significant work before the signed certificate can be deployed. Any deviation will leave Agents unable to communicate with the core server.
***IMPORTANT***(THIS NEEDS TO BE DONE BEFORE THE PATCH IS APPLIED)
EE_Cert requires that before the signed certificate is deployed to the Management Gateway / Cloud Services Appliance that all agents have Service Pack 3 for LANDesk Management Suite applied. Additionally, deploying SP3 via the use of the supplied custom definition or vulnerability is not sufficient. This is because we require RAInstall.exe to be run, this reinstalls the LANDesk Management Agent completely and lays down a compatible ProxyHost.exe.
If a signed certificate is deployed on the Management Gateway / Cloud Services Appliance any device that is currently using the Management Gateway / Cloud Services Appliance for communication with the Core Server or Remote Control (this should not effect On-Demand Remote Control) will cease communication.
For this reason proper upgrade planning must be done before placing the new certificate on the Management Gateway / Cloud Services Appliance.
Additional Notes for EV certificates or Organizations that use Credit Cards : The link below provides more details. If credit cards are processed within an organization then an Extended Validation (EV) certificate may be required by the CA.
Steps for applying patch, generating CSR and uploading signed certificate to the Management Gateway / Cloud Services Appliance.
How to update the Management Gateway / Cloud Services Appliance.
1- Prior to applying the EE_Cert patch you must apply GSBWEB_67 the Management Gateway / Cloud Services Appliance, EE_Cert relies upon this patch to make necessary UI changes.
2- Service Pack 3 for LANDesk Management Suite must be applied to the Core Server.
3- Service Pack 3 for LANDesk Management Suite must be applied to all LANDesk Agents. The method this must be deployed is via a full Agent push or by installing a newly built self-contained agent executable.
4- Open the Management Gateway / Cloud Services Appliance management interface by going to https://GATEWAY_NAME/gsb, where GATEWAY_NAME is the proper hostname for your Management Gateway / Cloud Services Appliance.
5- Login using an account that has admin privileges.
6- Click on “System”.
7- Click on the “Updates” tab.
8- Click “Scan for Updates”.
9- Apply GSBWEB_67 if it is available.
10- Apply EE_Cert.
How to create CSR to supply to CA (Certificate Authority).
- Click on “Manage LDMG certificates”.
- This is a new UI tool that was created to support the new functionality. It has a different function than “Manage Core Certificates”, which displays the certificate shared by the Core Server.
- Click “Create CSR”.
- Fill out fields of the supplied form.
- Your CA (Certificate Authority) will provide parameters for proper CSR generation and they will be specific to the requirements made by your CA.
- Click “Create”.
- Save the CSR file.
- Send the CSR file to the CA of your choice.
- When you receive the signed certificate you will need to log back in and browse to the “Manage LDMG certificates” tool.
- Remove all the certificates currently in the tab. (Note: This isn't deleting them. It's an action that's necessary to make the new certificate that's added in the instructions below the primary certificate on the Gateway)
- Click “Add LDMG certificate”.
- Paste the contents of the new certificate in to the provided field.
- Click “Save”.
- Reboot the appliance.