Signiant Support

Considerations when using a third party web certificate Print


Background:

    For any number of reasons, it may be desirable to install on your manager a third party web server certificate from a provider trusted by modern web browsers.    However, in addition to providing SSL encryption and a means of validating the identity of the manager when using the Signiant administration interface, the web server certificate also plays a role in agent installation and certificate renewals.

    This article details considerations you must keep in mind when requesting and installing a third party certificate in order for your agent installation and certificate renewals to proceed without issues.

Important Note:
Signiant recommends and supports the use of certificates issued by Comodo (www.comodo.com), whose certificate authorities are trusted by default for modern browsers.  Basic Comodo certificates are available free of charge for Signiant managers.  See the KB article titled "Generating and Importing Comodo certificates using the Signiant supplied script" for details on how to obtain and install a Comodo certificate for your Signiant manager.

While it is possible to use a third party certificate issued by another authority, Signiant is uanble to assist in obtaining, installing, renewing or maintaining such a certificate.

Discussion:

When an agent is installed, it makes a HTTPS (secure web) connection to the manager in order to request an agent certificate from the Signiant certificate authority running on your manager.  A similar transaction is done when the agent attempts to renew its certificate.  If the agent cannot complete the SSL authentication it is unable to obtain its initial or renewed certificate.

Consideration 1:  Manager name and aliases in web server certificate

Often, a Signiant manager will have a host name that is not descriptive of its role, following the company standard for host names (for example, bx5690-c.company.com).  Many times, particularly when the manager is used by customers external to the company, a friendlier name is used to address the host (for example, mediadelivery.company.com).

When requesting a third party certificate in these cases, it is important to include the original name of the manager as an alias name in the request.  Any agent already installed will attempt to renew its certificate using the original name of the manager in its renewal transaction.  If the certificate presented by the web server at renewal time does not include the original name of the manager the SSL authentication will fail.

Likewise, agent installations are most often configured to use the original name of the manager in order to obtain the agent's initial certificate.

When requesting a third party certificate for your web server, where the certificate will be for a name other than the manager's original name, be sure to include the manager's original name in the certificate request.  In addition, it is also best practice to include the common name of the certificate as an alias as well.  In the example above, the certificate request would include:

Common Name:  mediadelivery.company.com
Aliases:  mediadelivery.company.com, bx5960-c.company.com

Consideration 2:  Adding trusted certificate authorities to your agents

Unlike browsers, a Signiant agent will only trust certificates signed by the certificate authority running on your manager or authorities you specifically instruct it to trust.  When the agent requests a new certificate, either during installation or renewal, it does so using an HTTPS (secure web) connection.  If the manager presents a certificate that is not signed by an authority trusted by the agent this connection will fail and the new certificate will not be retrieved.

After installing your third party certificate, you will need to obtain the certificate authority chain from your provider.  This will be in the form of one or more individual certificates.  This certificate chain needs to be imported to each of your installed agents.

See the KB article titled "Agent certificate renewal fails when using third party web certificate" for instructions on adding trusted certificate authority certs to your agents.

Consideration 3:  Adding the trusted certificates to the default Signiant agent installation

The certificate chain given to your by your certificate provider should be added to the default agent configuration for new installs.  This is handled by the "sigsetup.inf" file found on the manager

See the KB article titled "Adding trusted CA certificates to your default agent configuration file" for details.

Consideration 4:  Web server certificate expiry and renewals

When the Signiant manager's web server certificate is signed by the certificate authority running on the manager, the manager is able to renew its certificate automatically as needed.  However, when using a third party certificate for the web server, automatic renewal of the web server certificate is impossible.  You must keep close watch on the expiration date of the web server certificate and send a renewal request to your provider such that the new certificate can be put in place before the expiration date of the existing certificate.  If the web server certificate expires then agent certificate requests for new installations or renewals will fail.