Configuring HTTPS settings
The HTTPS Configuration page enables you to configure the HTTPS settings for the appliance. This includes:
- Generating server keys and certificate signing requests
- Uploading and signing server certificates
- Uploading a CA certificate bundle to the appliance, or downloading them from the appliance
- Uploading a Certificate Revocation List to revoke access to the appliance
If BMC Discovery is integrated with a Web Authentication (Single Sign On) solution, you need to replace a default Certificate Authority (CA) bundle on BMC Discovery.
Starting with version 20.02 BMC Discovery enables HTTPS, by default. This is applicable whether you perform a new installation of version 20.02 or upgrade from version 11.x to 20.02. Further, your existing Windows proxies, if any, continue to function without the need for any additional HTTPS-specific configuration.
To generate a server key
- From the main menu, click the Administration icon
The Administration page is displayed. .
- From the Security section, click HTTPS.
The HTTPS Configuration page is displayed.
- Click Generate New Key.
The Generate Key dialog is displayed.
Enter relevant information in the editable fields:
Enter the hostname of the appliance if it is standalone. If the appliance is a cluster member, enter the cluster alias, or if an alias has not been set then set its DNS entry.
The two character country code for the country in which the appliance is located, for example GB.
State or Province
The state or province in which the appliance is located, for example Yorkshire.
The locality in which the appliance is located, for example York.
The company name, for example, BMC Software.
(Optional) The department using the appliance. This field is optional.
(Optional) The email contact for users of this appliance.
CSR SANs (Optional) The Subject Alternative Name (SAN) for your Certificate Signing Request (CSR) if you want to specific additional host names for a single SSL certificate.
RSA key length
The RSA key length, in bits, that you want to set for the key. Select one from the list: 1024, 2048, or 4096 bits.
The values used in the Generate Key dialog must match those used by the certificate authority.
When you have entered the required information, click Apply to generate the key.
The dialog is dismissed and the new server key is saved as
$TIDEWAY/etc/https/server.keyonto the appliance's file system. A certificate signing request is also generated; it is called
server.csrand is saved in the same location.
When you have a key and a signing request, it must be signed before it can be used. You can do this using one of the following methods:
- Use a certificate authority—Continue with this procedure.
- Sign the certificate yourself—See Self signing a server certificate.
- To download the Certificate Signing Request (CSR), click Download CSR to save the file to your local file system.
- Send the certificate signing request file to your certificate signing authority for signing.
When the certificate signing authority has approved the request, they will generate the corresponding certificate and return it as a
To upload a server certificate
- When your certificate signing authority has approved the request and returned a certificate, save the certificate file on your local file system.
- On the HTTPS Configuration page, click Upload in the Server Certificate row.
- Click Choose File next to Certificate File and select the server certificate you saved in Step 1 of this procedure.
- Click Apply.
The new certificate is uploaded onto the appliance.
To self-sign a server certificate
If you do not use a certificate authority but still require HTTPS access to the appliance, you can use the self-signing feature.
- Ensure that you have created a server key and certificate signing request on the appliance using the procedure described in to generate a server key.
- On the HTTPS Configuration page, click Self Sign in the Server Certificate row.
The server key that you created is signed and saved as a new certificate called
To upload or download a CA certificate bundle
The CA certificate bundle that is included by default contains a number of certificates from public certificate authorities. These are usually known as Trusted Root Certificates or Trusted Intermediate Certificates. You can continue to use these or replace them with a certificate bundle from a certificate authority used by your organization. Your system administrator should either tell you whether to use the supplied bundle, or provide you with one supported by your organization.
If you do not have a CA bundle, either the default supplied with the appliance, or one supplied by your organization, you will be unable to use HTTPS.
The default CA bundle is stored on the appliance in the following directory:
When the certificate signing authority has approved the request, they will generate the corresponding certificate bundle and return it as a
To replace the certificate bundle with one from a certificate authority used by your organization
- On the HTTPS Configuration page, click Upload in the CA Certificates row.
- Click Choose File next to CA Certificates File and select the certificate bundle returned by the certificate signing authority.
- Click Apply.
The new certificate bundle is uploaded.
To download the existing CA certificate bundle
- On the HTTPS Configuration page, click Download in the CA Certificates row.
The CA certificate bundle is downloaded to you local file system.
To use a Certificate Revocation List to revoke access to the appliance
You can use a Certificate Revocation List (CRL) to ensure that certificates that have been revoked by the CA can no longer be used to access the appliance. A CRL contains a list of certificates which have been revoked by the CA. You can also add compromised certificates to the CRL.
- On the HTTPS Configuration page, click Upload in the Certificate Revocation List row.
- Click Choose File next to CRL and select the CRL to apply.
- Click Apply.
The CRL is uploaded and applied.