Creating and installing a self-signed SSL certificate

You can use BMC Defender Server to create and install a self-signed Secure Sockets Layer (SSL) certificate to use for Transport Layer Security (TLS) connections. Also, the product creates a certificate signing request (CSR) file that you can provide to a certificate authority (CA).If you have a network listener that uses the TCP-TLS protocol, you must configure a path to a valid SSL certificate when you set up a TLS connection. (The SSL certificate configuration is optional for a network forwarder unless the server side of the connection requires a client SSL certificate.) You can use a self-signed certificate generated by the product, or a certificate from another source.

You can create server certificates and client certificates by using BMC Defender Server. Server certificates are generated in the installationDirectory\system\certs\server directory and client certificates are generated in the installationDirectory\system\certs\client directory. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.

To create and install a self-signed SSL certificate

Navigate to the System > Network > SSL Certs tab.
If you have not previously created a certificate with the utility, only the Add New Server Certificate and Add New Client Certificate buttons are displayed.

If a certificate already exists in the system, a table having the following information is displayed:

Column name	Description
Certificate	Common Name of the certificate
Status	Status of the certificate as received from the OpenSSL API call
Pending Certificate	Displays the status of the pending certificate and the Commit Or Discard button
View/Download	Displays the View/Download button
Delete	Displays the Delete button

To create a self-signed certificate, click:
- Add New Server Certificate button—for a server certificate
- Add New Client Certificate button—for a client certificate

Modify the following fields:

Parameter	Description
Common Name	Name of server to be protected by the certificate. The Common Name (CN) must exactly match the host name or IP address that the service runs on. The TLS connection does not work correctly if the host name of the server does not match the certificate CN field. The default value displays the system's attempt to determine the system host name.
Full Domain	Fully qualified domain name (FQDN) of the server to be protected by the certificate The default value displays the system's attempt to determine the FQDN. The FQDN and CN provide subject alternative name (SAN) DNS entries to the SSL certificate in the following format: subjectAltName = DNS: hostName, DNS:. hostName, DNS: hostName.domain.com, DNS:.hostName.domain.com The last two DNS entries that include domain values are not used if the Full Name field is empty.
*Use Wildcard '' in SAN Entries**	Select Yes to use a wildcard with SAN entries to secure multiple domains and subdomains. Default value is No.
Your Organization	Exact legal name of your organization Do not abbreviate your organization name.
Your Department	Name of your department.
Your City or Locality	Name of your city or locality
Your State or Province	Name of your city or province
Your Country Code	Two letter code that specifies your country Default value is US.
E-Mail Contact	Email address
Expiration Days	Number of days of validity of the certificate Default value is 3650.

Click Next.
BMC Defender Server generates the following files in the installationDirectory\system\certs\server (for server certificates) or installationDirectory\system\certs\client (for client certificates) directory:

File name	Description
commonName.csr	Certificate signing request Provide this file to an external trusted CA to be signed
commonName.key.pem	Certificate private key that is used in certificate generation
commonName.pem	Self-signed certificate that can be used for TLS connections

To cancel the operation, click Cancel.

To exit the setup wizard, click Finish.

To obtain a CSR file

You can view the CSR file of a self-signed certificate in the installationDirectory\system\certs\server (for server certificates) or installationDirectory\system\certs\client (for client certificates) directory. To download a CSR file, perform the following steps:

On the System > Network > SSL Certs tab, click the View/Download button of the certificate that you want to download.
On the subsequent tab, click the CSR file hyperlink.
BMC Defender Server generates the CSR file in the Downloads directory of your computer.

To delete a certificate

On the System > Network > SSL Certs tab, click the Delete button of the certificate that you want to delete.
On the subsequent tab, click the Delete button again.

The product deletes the certificate and all it's associated files from the certificate directory.

To commit or discard a pending certificate

If you create a new SSL certificate that has the same Common Name as an existing certificate in the certificate directory, the product compares the private key of the new certificate with the private key of the existing certificate in the directory. If the private keys are same, the product displays the Commit Or Discard button in the Pending Certificate column.

On the System > Network > SSL Certs tab, find the certificate that you want to commit or discard and click the Commit Or Discard button.
From the Process Pending Data list, select either of the following options:
- Commit Pending Certificate Data—commits the pending certificate
- Discard Pending Certificate Data—discards the pending certificate
Click Next.
To exit the setup wizard, click Finish.

Before SPE2304

To create and install a self-signed SSL certificate

Navigate to the System > Network > SSL Cert page.
Select Generate Self-Signed Certificate and click Next.
If you have not previously created a certificate with the utility, this is the only option available.
If a certificate already exists in the system, a message indicates that your newly created certificates will be pending until you commit or discard them.

Enter the following certificate information:

Parameter	Description
Common Name	Name of server to be protected by the certificate The Common Name (CN) must exactly match the host name or IP address that the service runs on. The TLS connection does not work correctly if the host name of the server does not match the certificate CN field. The default value displays the system's attempt to determine the system host name.
Full Name	Fully qualified domain name (FQDN) of the server to be protected by the certificate The default value displays the system's attempt to determine the FQDN. The FQDN and CN provide subject alternative name (SAN) DNS entries to the SSL certificate in the following format: subjectAltName = DNS: hostName, DNS:. hostName, DNS: hostName.domain.com, DNS:.hostName.domain.com The last two DNS entries that include domain values are not used if the Full Name field is empty. You can use a wildcard with SAN entries to secure multiple domains and subdomains.
Certificate identification information	Certificate owner information Complete the following identifying information about the certificate owner: Your Organization—Use the exact legal name of your organization. Do not abbreviate your organization name. Your Department Your City or Locality Your State or Province Your Country Code—Default value is US. E-Mail Contact Expiration Days—Default value is 3650.

Click Next.

The following files are generated in the installationDirectory \system\certs directory and the certificate is installed:

BMCDefender.pfx—Personal information exchange file
This file represents the certificate and key together in a format commonly used in Windows. You can install this complete certificate on Chrome and Firefox browsers.
TLS.restart—Temporary system file used to indicate the certificate information has been created or updated
BMCDefender.key.pem—Certificate private key that is used in certificate generation
BMCDefender.pem—Self-signed certificate that can be used for TLS connections
openssl.exe—OpenSSL application
OpenSSL is a third-party product used extensively for TLS communications
openssl.cnf—OpenSSL configuration options
BMCDefender.csr—Certificate signing request
Provide this file to an external trusted CA to be signed

To obtain a CSR file

You can obtain a CSR file to send to your CA to produce a public certificate.

You must have previously created a certificate with the utility.

Navigate to the System > Network > SSL Cert page.
Select Get CSR (Certificate Signing Request) and click Next.
The following page is displayed:
Copy all the content from the box and paste it into a text file. Include the following content:
-----BEGIN CERTIFICATE REQUEST-----
and
-----END CERTIFICATE REQUEST-----
Save the file with a .txt extension.

To verify the SSL certificate and private key

You can verify the current SSL certificate stored in the installationDirectory \system\certs directory with the current certificate private key.

You must have previously created a certificate with the utility.

Navigate to the System > Network > SSL Cert page.
Select Check Current Certificate and click Next.

If the private key agrees with the certificate, you receive confirmation.

Creating and installing a self-signed SSL certificate

To create and install a self-signed SSL certificate

To obtain a CSR file

To delete a certificate

To commit or discard a pending certificate

To create and install a self-signed SSL certificate

To obtain a CSR file

To verify the SSL certificate and private key

On this page