The certificate is issued by the BESRootServer and chained up to the BigFix Root Certificate Authority. This CA is generally not trusted publicly, it’s only intended to be accessed by BigFix clients. The root of the trust is established via the masthead file.
The Relay and Client certificates have often been an issue for network vulnerability scanners. We do now provide a way to export our CA Root Certificate so you can import it in your scanners as a trusted root authority, and avoid the untrusted/self-signed messages from your scanner.
On the BES Root Server, the BESAdmin Tool can now export the CA certificates. See the announcement at BigFix 11.0 Patch 3 is now available!
Added BESAdmin command to return the BigFix certificate bundle!
With the getcertificatebundle BESAdmin command, you can export the complete BigFix certificate bundle. In the bundle, there are all the certificates for all authorized chains in the masthead. This allows the user to provide the full certificate chain to tools or entities that request it for validation. For details, see BESAdmin Windows Command Line and BESAdmin Linux Command Line .