Directly contact our Support Team

Creating Security Certificates

Bitdefender GravityZone provides full visibility into organizations' overall security posture, global security threats, and control over its security services that protect virtual or physical desktops, servers and mobile devices. All Bitdefender's Enterprise Security solutions are managed within the GravityZone through a single console, Control Center, that provides control, reporting, and alerting services for various roles within the organization.

This article explains how to create the security certificates required by GravityZone.


Introduction

Browsers need Control Center Security certificate to recognize Control Center website as trusted. Except for Control Center Security, all other certificates are needed exclusively for managing Apple iOS devices. They are:

  • Communication Server certificate
  • Incidents Server certificate (only available for GravityZone Elite and GravityZone Ultra)
  • Apple MDM Push certificate
  • iOS MDM Identity and Profile Signing certificate
  • iOS MDM Trust Chain certificate

iOS includes built-in support for third-party Mobile Device Management (MDM) solutions. Apple Inc. has very strict requirements for the MDM interface to work. Security implies authentication of both the server and the client at the time when MDM commands are issued to the device; therefore, the MDM server runs as an HTTPS server and the device needs to trust the certificate the server presents.

The Root Certificate

Digital certificates are verified using a chain of trust. A Root certificate (hereinafter known as the Root) is the top-most certificate of the tree, the private key of which is used to "sign" other certificates. All certificates immediately below the Root certificate inherit the trustworthiness of the Root certificate.

Several different approaches are possible to make the devices trust the SSL certificate presented by the MDM server. We will present three of them, but only two make sense as a realistic and practical deployment scenario.

  1. Obtain a SSL certificate from a source the device already trusts.
    For example, get a certificate for the specific IP or hostname of the device from a Certificate Authority like Verisign, Thawte or another major vendor. The device will trust this certificate and the management relationship can be established.
    This solution is not practical for most of the Enterprise deployments.
  2. The business has a self-signed Root certificate.
    The certificate needs to be imported before the enrollment can take place.
    Fortunately, Apple has foreseen this need and made it possible to include the certificates and MDM configuration into the same payload. Also, the enrollment happens in two steps:
    1. The certificates from the payload are imported and the Root will be trusted;
    2. The connection to the MDM server is made and the device becomes managed.
  3. The business has an intermediate certificate obtained from a major third party.
    The certificate is issued by an intermediate Certificate Authority. This certificate uses a chain of trust, which starts from the Root (already trusted by the device).
    The intermediary has to be included in the profile.

Certificates for Bitdefender MDM Product

Here you have a briefly description of the certificates for MDM:

  1. The Communication Server certificate is used to secure communication between the Communication Server and iOS mobile devices.
    Requirements:
    • This SSL certificate can be signed either by your company or by an external Certificate Authority.
    • The certificate common name must match exactly the domain name or IP address used by mobile clients to connect to the Communication Server. This is configured as the external MDM address in the configuration interface of the GravityZone appliance console.
    • Mobile clients must trust this certificate. For this, you must also add the iOS MDM Trust Chain.
  2. The Apple MDM Push certificate is required by Apple to ensure secure communication between the Communication Server and the Apple Push Notifications service (APNs) servers when sending push notifications. Push notifications are used to prompt devices to connect to the Communication Server when new tasks or policy changes are available.
    Apple issues this certificate directly to your company, but it requires that your Certificate Signing Request be signed by Bitdefender. Control Center provides a wizard to help you easily obtain your Apple MDM Push certificate.
  3. The iOS MDM Identity and Profile Signing certificate is used by the Communication Server to sign identity certificates and configuration profiles sent to mobile devices.
    Requirements:
    • It must be an Intermediate or End-Entity certificate, signed either by your company or by an external Certificate Authority.
    • Mobile clients must trust this certificate. For this, you must also add the iOS MDM Trust Chain.
  4. The iOS MDM Trust Chain certificates are required on mobile devices to ensure they trust the Communication Server certificate and the iOS MDM Identity and Profile Signing certificate. The Communication Server sends this certificate to mobile devices during activation.
    The iOS MDM Trust Chain must include all intermediate certificates up to the Root certificate of your company or to the intermediate certificate issued by the external Certificate Authority. The trust chain is a concatenation of the certificates in PEM format and it doesn't have a private key.

Step-by-step Procedure

This is a simple approach, suitable for testing purposes or a deployment that is not integrated with any existing public-key infrastructure (PKI), can be made like this:

  1. Generate a Root certificate
  2. Generate a Signing certificate
  3. Generate an SSL certificate
  4. Generate the trust chain containing certificates from step 1 and 2
  5. Upload them in the GravityZone Console
  1. On a Linux OS machine with OpenSSL installed, in the same folder, create the bash scripts as root user:
    1. Open a new file with the name mentioned in the the text editor and create the script file from the list below.
      e.g.: #vim createroot.sh
    2. Type :i to switch from view mode to edit mode.
    3. Copy the commands mentioned for each file into the editor.
    4. Save the file.
      e.g.: Type the :wq key sequence.

    The scripts names and content (must be run as root user):

    1. createroot.sh

      #!/bin/bash

      openssl req -newkey rsa:2048 -days 800 -x509 -keyout rootkey.pem -out root.cer -sha256 -subj "/C=XX/O=XX/CN=XX/"

      note Note:

      Replace the Country C=XX, the Organization O=XX and the Common Name CN=XX suitable for you.

      E.g.: "/C=RO/O=Bitdefender/CN=MDM Root/"
       
    2. createssl.sh

      #!/bin/bash

      openssl req -new -newkey rsa:2048 -keyout sslkey.pem -out ssl.csr -sha256 -subj "/CN=$1/" -batch

      openssl x509 -req -days 365 -sha256 -in ssl.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -out ssl.cer -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=IP:$1")

      note Note:

      For subjectAltName, you can also use DNS or FQHN instead of IP.

      E.g.: subjectAltName=DNS:$1
    3. createcom.sh

      #!/bin/bash

      openssl req -new -newkey rsa:2048 -keyout comkey.pem -out com.csr -subj "/CN=$1/" -batch

      openssl x509 -req -days 365 -in com.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out com.cer

    4. createincident.sh

      #!/bin/bash

      openssl req -new -newkey rsa:2048 -keyout incidentkey.pem -out incident.csr -subj "/CN=$1/" -batch

      openssl x509 -req -days 365 -in incident.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out incident.cer

    5. createsvacom.sh

      #!/bin/bash

      openssl req -new -newkey rsa:2048 -keyout svacomkey.pem -out svacom.csr -subj "/CN=$1/" -batch

      openssl x509 -req -days 365 -in svacom.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out svacom.cer

    6. createsgn.sh

      #!/bin/bash

      openssl req -out sgn.csr -new -newkey rsa:2048 -keyout sgnkey.pem -subj "/C=XX/O=XX/CN=XX/" -batch

      openssl x509 -req -days 365 -in sgn.csr -CA root.cer -CAkey rootkey.pem -CAcreateserial -CAserial root.serial -sha256 -out sgn.cer -extfile noCA.cnf -extfile <(printf "extendedKeyUsage = serverAuth \n subjectAltName=IP:$1")

      rm sgn.csr

      note Note:
      • For subjectAltName, you can also use DNS or FQHN instead of IP.

        E.g.: subjectAltName=DNS:$1

      • Replace the Country C=XX, the Organization O=XX and the Common Name CN=XX suitable for you.

        E.g.: "/C=RO/O=Bitdefender/CN=MDM Signing Certificate/"
       
    7. createchain.sh

      #!/bin/bash

      cat root.cer sgn.cer >chain.pem

    8. noCA.cnf

      basicConstraints=CA:false

  2. Generate the certificates with the use of the previously created scripts.
    In bash shell, run the scripts as root user in the following order:
    1. The Root certificate

      #chmod +x createroot.sh
      #./createroot.sh

      Remember the password protecting the private key.
      Result files: root.cer, rootkey.pem.
       
    2. Control Center Security Certificate

      #chmod +x createssl.sh
      #./createssl.sh IP|FQHN

      Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.
      As always, remember the password.
      Result files: the SSL certificate - ssl.cer, the private key - sslkey.pem.
       
    3. Communication Server Certificate

      #chmod +x createcom.sh
      #./createcom.sh IP|FQHN

      Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.
      As always, remember the password.
      Result files: com.cer, comkey.pem.
       
    4. Incidents Server Certificate

      #chmod +x createincident.sh
      #./createincident.sh IP|FQHN

      Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.
      As always, remember the password.
      Result files: incident.cer, incidentkey.pem.
       
    5. Endpoint - Security Server Certificate

      #chmod +x createsvacom.sh
      #./createsvacom.sh IP|FQHN

      Provide either the IP or the Fully Qualified Host Name depending on the configuration of the server.
      As always, remember the password.
      Result files: svacom.cer, svacomkey.pem.
       
    6. Apple MDM Push Certificate
      Apple issues this certificate directly to your company, but it requires that your Certificate Signing Request be signed by Bitdefender. Control Center provides a wizard to help you easily obtain your Apple MDM Push certificate.
       
      note Note:

      You will need an Apple ID to obtain the certificate. If you do not have an Apple ID, you can create one here. Make sure to validate your Apple ID and set a security question before proceeding to obtain your Apple MDM Push certificate.
    7. iOS MDM Identity and Profile Signing Certificate

      #chmod +x createsgn.sh
      #./createsgn.sh IP|FQHN

      Provide the password for the Root and be sure to remember the password protecting the private key of this certificate.
      Result files: sgn.cer, sgnkey.pem.
       
    8. iOS MDM Trust Chain Certificates

      #chmod +x createchain.sh
      #./createchain.sh

      Result files: chain.pem. Also a file called root.serial is created, simply ignore it.
       
  3. Upload the corresponding files into Control Center.
    The upload procedure is explained in the Certificates subsection from the GravityZone Installation Guide.
Can't find a solution for your problem? Open an email ticket and we will answer the question or concern in the shortest time possible.

Rate this article:

Submit