Creating Security Certificates
Bitdefender GravityZone provides full visibility into organizations' overall security posture, global security threats, and control over its security services that protect virtual or physical desktops, servers and mobile devices. All Bitdefender's Enterprise Security solutions are managed within the GravityZone through a single console, Control Center, that provides control, reporting, and alerting services for various roles within the organization.
This article explains how to create the security certificates required by GravityZone.
Introduction
Browsers need Control Center Security certificate to recognize Control Center website as trusted. Except for Control Center Security, all other certificates are needed exclusively for managing Apple iOS devices. They are:
- Communication Server certificate
- Apple MDM Push certificate
- iOS MDM Identity and Profile Signing certificate
- iOS MDM Trust Chain certificate
iOS includes built-in support for third-party Mobile Device Management (MDM) solutions. Apple Inc. has very strict requirements for the MDM interface to work. Security implies authentication of both the server and the client at the time when MDM commands are issued to the device; therefore, the MDM server runs as an HTTPS server and the device needs to trust the certificate the server presents.
The Root Certificate
Digital certificates are verified using a chain of trust. A Root certificate (hereinafter known as the Root) is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. All certificates immediately below the Root certificate inherit the trustworthiness of the Root certificate.
Several different approaches are possible to make the devices trust the SSL certificate presented by the MDM server. We will present three of them, but only two make sense as a realistic and practical deployment scenario.
- Obtain a SSL certificate from a source the device already trusts.
For example, get a certificate for the specific IP or hostname of the device from a Certificate Authority like Verisign, Thawte or another major vendor. The device will trust this certificate and the management relationship can be established.
This solution is not practical for most of the Enterprise deployments. - The business has a self-signed Root certificate.
The certificate needs to be imported before the enrollment can take place.
Fortunately, Apple has foreseen this need and made it possible to include the certificates and MDM configuration into the same payload. Also, the enrollment happens in two steps:- The certificates from the payload are imported and the Root will be trusted;
- The connection to the MDM server is made and the device becomes managed.
- The business has an intermediate certificate obtained from a major third party.
The certificate is issued by an intermediate Certificate Authority. This certificate uses a chain of trust, which starts from the Root (already trusted by the device).
The intermediary has to be included in the profile.
Certificates for Bitdefender MDM Product
Here you have a briefly description of the certificates for MDM:
- The Communication Server certificate is used to secure communication between the Communication Server and iOS mobile devices.
Requirements:- This SSL certificate can be signed either by your company or by an external Certificate Authority.
- The certificate common name must match exactly the domain name or IP address used by mobile clients to connect to the Communication Server. This is configured as the external MDM address in the configuration interface of the GravityZone appliance console.
- Mobile clients must trust this certificate. For this, you must also add the iOS MDM Trust Chain.
- The Apple MDM Push certificate is required by Apple to ensure secure communication between the Communication Server and the Apple Push Notifications service (APNs) servers when sending push notifications. Push notifications are used to prompt devices to connect to the Communication Server when new tasks or policy changes are available.
Apple issues this certificate directly to your company, but it requires that your Certificate Signing Request be signed by Bitdefender. Control Center provides a wizard to help you easily obtain your Apple MDM Push certificate. - The iOS MDM Identity and Profile Signing certificate is used by the Communication Server to sign identity certificates and configuration profiles sent to mobile devices.
Requirements:- It must be an Intermediate or End-Entity certificate, signed either by your company or by an external Certificate Authority.
- Mobile clients must trust this certificate. For this, you must also add the iOS MDM Trust Chain.
- The iOS MDM Trust Chain certificates are required on mobile devices to ensure they trust the Communication Server certificate and the iOS MDM Identity and Profile Signing certificate. The Communication Server sends this certificate to mobile devices during activation.
The iOS MDM Trust Chain must include all intermediate certificates up to the Root certificate of your company or to the intermediate certificate issued by the external Certificate Authority. The trust chain is a concatenation of the certificates in PEM format and it doesn't have a private key.
Step-by-step Procedure
This is a simple approach, suitable for testing purposes or a deployment that is not integrated with any existing public-key infrastructure (PKI), can be made like this:
- Generate a Root certificate
- Generate a Signing certificate
- Generate an SSL certificate
- Generate the trust chain containing certificates from step 1 and 2
- Upload them in the GravityZone Console
- On a Linux OS machine with OpenSSL installed, in the same folder, create the bash scripts as root user:
- Open a new file with the name mentioned in the the text editor and create the script file from the list below.
e.g.:#vim createroot.sh
- Type
:i
to switch from view mode to edit mode. - Copy the commands mentioned for each file into the editor.
- Save the file.
e.g.: Type the:wq
key sequence.
The scripts names and content (must be run as root user):
- createroot.sh
#!/bin/bash
openssl req -newkey rsa:2048 -days 800 -x509 -keyout rootkey.pem -out root.cer -sha256 -subj "/C=XX/O=XX/CN=XX/"
Note: Replace the Country
E.g.:C=XX
, the OrganizationO=XX
and the Common NameCN=XX
suitable for you."/C=RO/O=Bitdefender/CN=MDM Root/"
- createssl.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -keyout sslkey.pem -out ssl.csr -sha256 -subj "/CN=$1/" -batch
openssl x509 -req -days 365 -sha256 -in ssl.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -out ssl.cer -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=IP:$1")
Note: For
subjectAltName
, you can also use DNS or FQHN instead of IP.E.g.:
subjectAltName=DNS:$1
- createcom.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -keyout comkey.pem -out com.csr -subj "/CN=$1/" -batch
openssl x509 -req -days 365 -in com.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out com.cer
-
createsvacom.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -keyout svacomkey.pem -out svacom.csr -subj "/CN=$1/" -batch
openssl x509 -req -days 365 -in svacom.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out svacom.cer
- createsgn.sh
#!/bin/bash
openssl req -out sgn.csr -new -newkey rsa:2048 -keyout sgnkey.pem -subj "/C=XX/O=XX/CN=XX/" -batch
openssl x509 -req -days 365 -in sgn.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out sgn.cer -extfile noCA.cnf -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=IP:$1")
rm sgn.csr
Note: - For
subjectAltName
, you can also use DNS or FQHN instead of IP.E.g.:
subjectAltName=DNS:$1
- Replace the Country
C=XX
, the OrganizationO=XX
and the Common NameCN=XX
suitable for you.E.g.:
"/C=RO/O=Bitdefender/CN=MDM Signing Certificate/"
- For
- createchain.sh
#!/bin/bash
cat root.cer sgn.cer >chain.pem
- noCA.cnf
basicConstraints=CA:false
- Open a new file with the name mentioned in the the text editor and create the script file from the list below.
- Generate the certificates with the use of the previously created scripts.
In bash shell, run the scripts as root user in the following order:- The Root certificate
Remember the password protecting the private key.#chmod +x createroot.sh
#./createroot.sh
Result files: root.cer, rootkey.pem.
- Control Center Security Certificate
Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.#chmod +x createssl.sh
#./createssl.sh IP|FQHN
As always, remember the password.
Result files: the SSL certificate - ssl.cer, the private key - sslkey.pem.
- Communication Server Certificate
Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.#chmod +x createcom.sh
#./createcom.sh IP|FQHN
As always, remember the password.
Result files: com.cer, comkey.pem.
- Endpoint - Security Server Certificate
Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.#chmod +x createsvacom.sh
#./createsvacom.sh IP|FQHN
As always, remember the password.
Result files: svacom.cer, svacomkey.pem.
- Apple MDM Push Certificate
Apple issues this certificate directly to your company, but it requires that your Certificate Signing Request be signed by Bitdefender. Control Center provides a wizard to help you easily obtain your Apple MDM Push certificate.
Note: You will need an Apple ID to obtain the certificate. If you do not have an Apple ID, you can create one here. Make sure to validate your Apple ID and set a security question before proceeding to obtain your Apple MDM Push certificate.
- iOS MDM Identity and Profile Signing Certificate
Provide the password for the Root and be sure to remember the password protecting the private key of this certificate.#chmod +x createsgn.sh
#./createsgn.sh IP|FQHN
Result files: sgn.cer, sgnkey.pem.
- iOS MDM Trust Chain Certificates
Result files: chain.pem. Also a file called root.serial is created, simply ignore it.#chmod +x createchain.sh
#./createchain.sh
- The Root certificate
- Upload the corresponding files into Control Center.
The upload procedure is explained in the Certificates subsection from the GravityZone Installation Guide.