Moving Away from Self-Signed Certificates - Certificate Chain Criteria

Hi folks,

Currently moving away from self-signed certificates and looking into certificates with a certificate chain - however the Security Team needs to know what type of certs are needed for the different types of BigFix servers. Does anyone know what HCL deemed the “correct” way to do this?

Currently needing to create certs and the specific ports used (aside from 52311) for the following server types:

  • Root Server
  • Relays
  • Web
  • Compliance
  • Inventory

Using Windows Server 2012R2 & 2019 running BigFix

Any help, documentation, or general direction would be appreciated!

Given that the Certificate used by the Root server is actually your License, I don’t think you can replace it.

You can definitely use 3rd party Certs with WebUI, Web Reports, Compliance and Inventory. I have not tried Certs on the Relays yet.

It’s been my experience that installing SSL Certificates is fairly well documented. The only caveat I’ve run into with my Cert Authority (InCommon) is that I have to reformat the Certificate files. The blocks in the file are in the wrong order and I have to manually flip them around before BigFix will use them.

Useful links(found by googling “HCL BigFix SSL <component>”) …


Very nice collection of links!

You can in fact also change the root server certificate. The content is signed using your license certificate, but the https transport to the server can use a custom cert and make your network scanners happy.

If I’m not mistaken, I think you can use this same procedure on Relays as well but I haven’t wanted to hurt myself enough to manage Relay certificates yet.

Edit from the far future: no, this procedure does not work on Relays. The Relay service will fail to start when a third-party certificate is loaded.

1 Like

Today I Learned!

Thanks Jason. I guess I’m going to need to look into this for my environment. With +80 Relays in my environment, I’m not sure I want to deal with 3rd party certs either. Sounds like nothing but pain.

Did you ever figure something out? We have over 400 relays.

Nope :slight_smile: There was high-level discussion HCL hosted recently asking if there was any interest in if they were to dig into making this process less painful…and I believe they didn’t get the response they were expecting…so probably on the back burner for the foreseeable future.

Maybe talk with your account manager to see if there’s an RFE you can create and see if you can get that voted on!

I think we can do better than an RFE. @D.Dean please DM me and we can set up a talk at your convenience…