Overview of the Solution

A process is available for you to use your own CA to generate a new authority certificate and replace the default self-signed root certificate created by Security Controls. The authority certificate that you generate will in turn be used to issue console, agent and scheduler certificates for Security Controls.

Major steps in the process

Here are the major steps for using your own CA to issue a new certificate:

  1. Issue a new sub-authority certificate from your CA.
    For details on performing this step, see How to Issue a New Certificate.
    • If your CA is accessible over the network, you can use your local system facilities to create the new certificate. If you are using a Microsoft CA infrastructure, use the Subordinate Certificate Authority certificate template when creating the certificate.
    • If your CA is on a disconnected network, you will use the STMgmt command-line tool to request and then accept the new sub-authority certificate.
  2. Let the new certificate work its way through Security Controls.
    For details on this step, see Let the New Certificate Percolate Through the System.
  3. Commit the new sub-authority certificate.
    For details on performing this step, see Commit the New Sub-Authority Certificate.
  4. Test and verify that new console, scheduler and agent certificates are in place.
    For details on performing this step, see Testing for and Verifying the New Certificate.

Before and after views of your certificate environment

The following diagrams illustrate the state of the Security Controls certificates as originally installed and after using your own CA to issue new certificates.

As originally installed with Security Controls

Here is the relationship of the certificates after initially installing Security Controls. The console, scheduler and agent certificates are all issued by the self-signed root certificate.

After using a trusted CA to issue a new authority certificate

Here is the relationship of the certificates if you choose to issue a replacement certificate using your own CA. In Ivanti parlance, the new certificate that is issued by your CA is known as a sub-authority. A total of four unique certificates will be issued during the entire process. Your CA will issue a sub-authority certificate, and the sub-authority certificate will in turn issue a console certificate, a scheduler certificate and (if you use agents) an agent certificate. Multiple scheduler and agent certificates may exist, one for each scheduler and one for each agent you install.