Implications of using Sectigo-Certificate instead of internal CA certificate?

Hello,

right now our Zenworks-Login page (server version 23.4.0.88) reachable over

https://xyz.abc.com:7443

asks us to trust the certificate that comes from the internal CA of zenworks.

Two questions on that:

  1. If we replace this internal Certificate with a public one (Sectigo) so we don't get the certificate Browser warnings will this have any effect on the zenworks-agent (installed on windows clients in the zone) to server communication? Is there any need to the "roll out" these certificates to the clients, so client communication is encryption or does that have nothing to the with the cert used for the Login Page?
  2. If we can actually use the Sectigo cert without any implication on client-communication, could you lead us please to the documentation that describes the process for integrating the cert into zenworks?

Thank you,

Bob

  • Suggested Answer

    0  

    The Docs are here...

    https://www.novell.com/documentation/zenworks-23.4/zen_certificates/data/bookinfo.html

    In General, most prefer the Internal CA because it allows ZCM to handle far more of the CA management and makes the admin's life much simpler.  If you change to an "External CA" you will need to tweak your Remote Control Policy to allow for that because there is a minor feature with RC that allows certs to be generated by the agents to allow for 2-way certificate verification.  Honestly, I think it provides less security than it sounds as things would be quite secure already assuming you are running "Rights Base" versus simple password but the RC policy needs to be tweaked to not require the agent cert.

    Changing the ZCC CA will require every cert used by ZCM everywhere to change over.  However, there will most likely be no need to touch anything on the agents.  The number of Certificate/CA related calls we get around the product tend to primarily be from customers using External CAs even though such customers are the minority   No reason they can't work, it is just an added layer of complexity and unknowns.  If you are not comfortable with various commands around creating and managing certificates, it would be a reason to think hard about doing it.  Most of the commands are in the docs, so if you are not familiar with the processes it would give me pause.

    Definitely setup a lab zone and put that on external for a while and do cert updates and know the process....

    It would just trust the CA Cert on any device a Tech was using to manage ZCM that did not have the ZENworks Agent.  That is a very simple process.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0  

    A little late to respond, but I had similar questions previously before implementing sectigo based wildcard certs in multiple zen primaries without issue.

    Main reason being not having to deal with untrusted internal certs, and also easier to put zenworks in DMZ behind a firewall web application proxy.

    Rodney

    If you found this post useful, give it a "Like" or click on "Verify Answer" under the "More" button.   This helps others.