Replacing the Outpost UI HTTPS certificate

When you install the BMC Discovery Outpost, it generates its own self-signed certificates, which enable the browser to trust it. However, as there is no chain of trust to a known Certificate Authority (CA), you must tell the browser that it must trust the BMC Discovery Outpost.

The certificate looks something like this in your browser:

The auto-generated key and certificate files are stored (by default) in C:\Program Files\BMC Software\Discovery Outpost\etc\https as:

• server.key
• server.crt

The generated certificates are 4k RSA public key, with 10 year lifespan. For example:

Many organizations require the use of certificates that are signed by a known and trusted in-house CA. Organizations might also require that certificates have a shorter lifespan than the default for the certificate.

The default key is encrypted using the Outpost UUID as the password. You can find the Outpost UUID in the C:\Program Files\BMC Software\Discovery Outpost\etc\machine.uuid file, or in the tw_svc_outpost.log  file.

The BMC Discovery Outpost accepts an unencrypted password, and rather than encrypt the password, we recommend that you consider the Windows OS as the security boundary to the HTTPS key.

To replace the automatically generated Outpost certificates

To replace the automatically generated certificates:

1. Request your CA to generate a key/certificate pair. your CA will require the following information:
   
   • X.509 CN (Common Name)
   • the DNS name the browser uses to connect to the Outpost
2. Copy them to the BMC Discovery Outpost host.
   The default directory is C:\Program Files\BMC Software\Discovery Outpost\etc\https
   
3. Restart the Outpost service.

When you connect to the BMC Discovery Outpost you will have an HTTPS connection, using a certificate to a browser-trusted CA.