Creating and installing a self-signed SSL certificate

BMC Defender Server includes a utility that creates and installs a self-signed Secure Sockets Layer (SSL) certificate to use for Transport Layer Security (TLS) connections. The utility also creates a certificate signing request (CSR) file that you can provide to a certificate authority (CA).

If you have a network listener that uses the TCP-TLS protocol, you must configure a path to a valid SSL certificate when you set up a TLS connection. (The SSL certificate configuration is optional for a network forwarder unless the server side of the connection requires a client SSL certificate.) You can use a self-signed certificate generated by the BMC Defender Server utility, or a certificate from another source.

SSL certificates that you create with BMC Defender Server are automatically stored in the installationDirectory \system\certs directory. Replace installationDirectory with the directory in which you installed the product. The default directory is C:\Program Files\BMC Software\BMC Defender.

To create and install a self-signed SSL certificate

  1. Navigate to the System > Network > SSL Cert page.
  2. Select Generate Self-Signed Certificate and click Next.
    If you have not previously created a certificate with the utility, this is the only option available.
    If a certificate already exists in the system, a message indicates that your newly created certificates will be pending until you commit or discard them.

  3. Enter the following certificate information:

    Parameter

    Description

    Common Name

    Name of server to be protected by the certificate

    The Common Name (CN) must exactly match the host name or IP address that the service runs on. The TLS connection does not work correctly if the host name of the server does not match the certificate CN field.

    The default value displays the system's attempt to determine the system host name.

    (SPE2010)  Full Name

    Fully qualified domain name (FQDN) of the server to be protected by the certificate

    The default value displays the system's attempt to determine the FQDN.

    The FQDN and CN provide subject alternative name (SAN) DNS entries to the SSL certificate in the following format:

    subjectAltName = DNS: hostName, DNS:*.hostName, DNS: hostName.domain.com, DNS:*.hostName.domain.com

    The last two DNS entries that include domain values are not used if the Full Name field is empty.

    (SPE2204) You can use a wildcard with SAN entries to secure multiple domains and subdomains.

    Certificate identification information

    Certificate owner information
    Complete the following identifying information about the certificate owner:

    • Your Organization—Use the exact legal name of your organization. Do not abbreviate your organization name.
    • Your Department
    • Your City or Locality
    • Your State or Province
    • Your Country Code—Default value is US.
    • E-Mail Contact
    • Expiration Days—Default value is 3650.
  4. Click Next.

(SPE2010) The following files are generated in the installationDirectory \system\certs directory and the certificate is installed:

  • BMCDefender.pfx—Personal information exchange file
    This file represents the certificate and key together in a format commonly used in Windows. You can install this complete certificate on Chrome and Firefox browsers. 
  • TLS.restart—Temporary system file used to indicate the certificate information has been created or updated
  • BMCDefender.key.pem—Certificate private key that is used in certificate generation
  • BMCDefender.pem—Self-signed certificate that can be used for TLS connections
  • openssl.exe—OpenSSL application
    OpenSSL is a third-party product used extensively for TLS communications
  • openssl.cnf—OpenSSL configuration options
  • BMCDefender.csr—Certificate signing request
    Provide this file to an external trusted CA to be signed

(Prior to SPE2010)

  • BMCDefenderACC.pem—Self-signed certificate
  • BMCDefenderACC.key.pem—Certificate private key
  • BMCDefencerACC.csr—Certificate signing request

To obtain a CSR file

You can obtain a CSR file to send to your CA to produce a public certificate.

You must have previously created a certificate with the utility.

  1. Navigate to the System > Network > SSL Cert page.
  2. Select Get CSR (Certificate Signing Request) and click Next.
    The following page is displayed:
    cert_getCSR.png

  3. Copy all the content from the box and paste it into a text file. Include the following content:
    -----BEGIN CERTIFICATE REQUEST-----

    and

    -----END CERTIFICATE REQUEST-----
  4. Save the file with a .txt extension.

To verify the SSL certificate and private key

You can verify the current SSL certificate stored in the  installationDirectory \system\certs directory with the current certificate private key.

You must have previously created a certificate with the utility.

  1. Navigate to the System > Network > SSL Cert page.
  2. Select Check Current Certificate and click Next.

If the private key agrees with the certificate, you receive confirmation.

Related topics

Setting-up-a-TLS-connection-for-TCP-listeners-and-forwarders

Setting-up-a-network-forwarder

Setting-up-a-network-listener-to-receive-messages-from-a-remote-server

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*