Creating and installing a self-signed SSL certificate

BMC Defender Server includes a utility that creates and installs a self-signed Secure Sockets Layer (SSL) certificate to use for Transport Layer Security (TLS) connections. The utility also creates a certificate signing request (CSR) file that you can provide to a certificate authority (CA).

If you have a network listener that uses the TCP-TLS protocol, you must configure a path to a valid SSL certificate when you set up a TLS connection. (The SSL certificate configuration is optional for a network forwarder unless the server side of the connection requires a client SSL certificate.) You can use a self-signed certificate generated by the BMC Defender Server utility, or a certificate from another source.

SSL certificates that you create with BMC Defender Server are automatically stored in the installationDirectory\system\certs directory. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.


To create and install a self-signed SSL certificate

  1. Navigate to the System > Network > SSL Cert page.
  2. Select Generate Self-Signed Certificate and click Next.
    If you have not previously created a certificate with the utility, this is the only option available.
    If a certificate already exists in the system, a message indicates that your newly created certificates will be pending until you commit or discard them.
  3. Enter the following certificate information:

    • Common Name—Name of server to be protected by the certificate

      The Common Name (CN) must exactly match the host name that the service runs on. The TLS connection does not work correctly if the host name of the server does not match the certificate CN field.

      The default value is displays the system's attempt to determine the system host name.

    • Certificate identification information—Certificate owner information

      Complete the following identifying information about the certificate owner:

      • Your Organization—Use the exact legal name of your organization. Do not abbreviate your organization name.
      • Your Department
      • Your City or Locality
      • Your State or Province
      • Your Country Code—Default value is US.
      • E-Mail Contact
      • Expiration Days—Default value is 3650.
  4. Click Next.

The following files are generated and the certificate is installed:

  • Self-signed certificate—BMCDefenderACC.pem
  • Certificate private key—BMCDefenderACC.key.pem
  • Certificate signing request—BMCDefencerACC.csr

To obtain a CSR file

You can obtain a CSR file to send to your CA to produce a public certificate.

You must have previously created a certificate with the utility.

  1. Navigate to the System > Network > SSL Cert page.
  2. Select Get CSR (Certificate Signing Request) and click Next.
    The following page is displayed:
    cert_getCSR.png

  3. Copy all the content from the box and paste it into a text file. Include the following content:
    -----BEGIN CERTIFICATE REQUEST-----

    and

    -----END CERTIFICATE REQUEST-----
  4. Save the file with a .txt extension.

To verify the SSL certificate and private key

You can verify the current SSL certificate stored in the installationDirectory\system\certs directory with the current certificate private key.

You must have previously created a certificate with the utility.

  1. Navigate to the System > Network > SSL Cert page.
  2. Select Check Current Certificate and click Next.

If the private key agrees with the certificate, you receive confirmation.



Related topics

Setting-up-a-TLS-connection-for-TCP-listeners-and-forwarders

Setting-up-a-network-forwarder

Setting-up-a-network-listener-to-receive-messages-from-a-remote-server

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*