As the client to server secure comms is also used by the Agent Handlers, I am assuming that the servers that are running the Agent Handlers only have to trust the signing CA. Or is the validity of the certificate checked at all by the agent handlers?
With regards to the agent to server secure comms, I could change the certificate used by Apache, however would this have a knock on effect with the agent communications, as I do not seem to be able to import SSL keys into the ePO server for this purpose, as mentioned above?
I think Im going to raise an SR for this also!
Sorry for not seeing this one earlier...
There's no way to change the cert used for agent/server comms, I'm afraid. The keys used by ePO (and referred to in the server settings) are distinct from the SSL certs - they're the agent/server key pairs from earlier versions of ePO that are still used so that non-ssl comms are still secure. You can administer these keys via the console, but there is no similar process for the apache certificates.
Can I ask what it is you'd like to do, exactly, and the reason for wanting to avoid the self-signed certs? (Just to give me a better understanding...)
Cheers Joe, just got the same answer from support earlier today. Basically, it goes like this:
Pen Tester / Auditor: "OMG we have found self signed certificates used on this port!"
Project: "... ... aaaaAAAAARRRRRGGGHHHHHHHHH"* <run around, bashing into things>
Me: "I'll have a dig around" <comes to community / support>
As it is not possible, I will simply communicate that back, and hopefully that will be the end of it. I fear it may not be as we go down the path of needing to document how attackers can use this to their advantage, and what is in place and can be in place to mitigate those attacks. The whole affair in my opinion is low low risk (and high level-of-work-required-for-would-be-attacker).
*dramatic re-enactment. In reality the whole affair was quite calm. Just reenacting what I have seen to be the norm with these things.
I've asked a senior colleague for their comments - it may be that there's something I'm missing. The problem I can see is that there's no way to distribute the new cert to exsiting agents short of importing the sitelist or redeploying all the agents, both of which are painful
Darn your helpfulness Joe, Darn it!
I didnt think it would be possible even with the redistribution of the sitelist or redeploying the agents, as I had no way of importing the keys into ePO security keys for the redistribution. Unless *if* the certs were amended, the sitelist and security keys were updated automatically (I am sure this is more simple than my brain is making out). I will stick with the official support answer for now (not possible), but if you do happen to come across a feasible and supported path for this, let me know - My curiosity is piqued, and if indeed it is a possibility I need to present it to the project, no matter how much work is involved. Then it can be somebody elses decision on whether to proceed or not :-D
It's the import of the cert (not key ) that's the tricky part. We know that ePO can *recreate* the apache cert: it's something that we do very regularly to repair broken installations that have to be recovered after a disaster - but then you're left with redeploying the agents.
What we don't have a mechanism for is importing a different cert (as opposed to calling ePO's internal function to create a new one.)
At this point I would definitely go with "not possible", but if I don find out anything useful I'll let you know.
Yes, quite right - typing a large number of emails can result in my words getting mixed up. Im usually quite pedantic about that, and am also usually the one to correct (it avoids confusion later down the line) - tables have turned this time!