For more information on this topic, please see KACE SMA Course 1 Installing the KACE SMA: Module 1: Initial Setup Overview - Free and KACE SMA Course 1 Installing the KACE SMA: Module 2: Settings and Security Settings - Free. Additional SMA Educational Services are available as well.
I. Before implementing SSL let’s review the following considerations:
- Ensure the KACE SMA web server name has the same domain name suffix as specified in the domain field in System | Settings | Network Settings (i.e. web server name is support.kace.com and domain name is kace.com)
- Ensure the KACE SMA web server name is resolvable by all DNS servers that the clients will use.
- Run and download backups prior SSL implementation - How to manage backup files via FTP
- KACE Web Server name must be the FQDN of the certificate. Devices connect to the appliance using this name (this consideration applies when using third party certificates)
- Do not check the box "Enable Forward port 80 to port 443" until after you have verified you can successfully reach https:// on your KACE SMA first.
II. How to apply KACE SMA Self-Certificate?
KACE SMA provides the option to generate a self-certificate, to do so check at the following steps:
- Go to Settings | Control Panel | Security Settings
- Check “Enable SSL”
- Click on "Generate CSR (Certificate Signing Request) or Self-Signed SSL Certificate" and then on "SSL Certificate Form". Complete the “SSL Certificate Form” and save the changes.
- Click on “Generate Self-Signed Certificate” followed by clicking on “Deploy Self-Signed Certificate” and hit “Yes” to confirm the changes. **** This operation does not restart KACE server****. In the event that KACE fails to apply changes, try generating and deploying Self-Sign Certificate once again.
Note: Internet browser will show certificate as not trusted. Please note that this a normal behavior because KACE SMA product is not a CA trusted authority.
To renew a Self-Signed certificate follow the same steps listed above.
III. How to implement Third Party certificates in KACE SMA?
How generate the certificates? - Remember copy the entire text listed under Certificate Signing Request (CSR) - see - Settings › Control Panel › Security > Generate CSR (Certificate Signing Request) or Self-Signed SSL Certificate > SSL Certificate Form - (including the lines -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----) and send it to whomever provides your company with web server certificates.
To implement a certificate using a third-party certificate issuer:
Requirements for a certificate to work is:
- The certificate itself.
- This article doesn't cover using a PKCS-12 cert (.pkcs12, .pfx, .p12). However, the steps are the same, aside from what files you upload.
- The private key the certificate signing request (CSR) was generated with. (The private key is displayed on the Generate CSR page. Check the box for Display Appliance Private Key, copy ALL the text including the dashes. Save at a text file called private.key. Note:if using notepad, save using the All Files option so it does not add txt to the end of the name. It must be named EXACTLY private.key. Store this key in a secure location).
- Any applicable intermediate, see Appendix A for more information on intermediate certificates.
Apply the certificate
- Go to Settings | Control Panel | Security Settings
- Check the box for Enable port 80 access (Port 80 is checked by default)
- Check the box Enable SSL
- Make sure the box for port redirection, "Enable Forward port 80 to port 443," is unchecked. You can change this after you confirm that the certificate works (able to reach KACE using https://).
- Check the "Upload PEM SSL Certificate" box
- Upload the private.key
- Upload the kbox.crt
- Optional step: If you require an intermediate then check the Use Intermediate SSL Certificate box and upload intermediate.crt.
- Click on Save and restart services
IV. Common issues after applying SSL and other troubleshooting steps:
HTTP works, but HTTPS does not.
- Ensure port 443 is open for the KACE SMA (most commonly blocked when the KACE SMA is in a DMZ).
- The intermediate certificate was not included when it was required. See Appendix A, just double click the KBOX.crt file and click on the certification path tab. If it has 3 levels, then it usually needs an intermediate certificate. If there are only 2 levels, it should be good.
- Ensure that the checksums of your crt and private key match. Download and install the OpenSSL toolkit and run these commands:
- openssl x509 -noout -modulus -in KBOX.crt | openssl md5
- openssl rsa -noout -modulus -in private.key | openssl md5
The KACE SMA web interface is inaccessible after applying a certificate.
This is likely due to enabling redirect port 80 to 443 without testing; do not turn off or restart KACE SMA!
- Ping KACE SMA
- Get console access to the KACE SMA
- Login as 'netdiag' for both username/password, and use the 'httpd80' command to remove SSL setup.
- Bring up the SMA web interface and turn off all SSL settings – this will restart the Web service.
- Proceed to review SSL setup configuration.
For additional questions and assistance, contact KACE Support.
V. Reference Material:
APPENDIX A - CERT TYPES
- Certificate Authority (CA) – This is the where your certificates are issued from, and it can be a Root or Intermediate CA.
- Individual SSL certificate – This is a certificate that can only be used on one server, the SMA's web server name must match the name on the certificate. This is the most common certificate you will see.
- Internal CA Certificate – An internal domain server is being used as a signing authority, generally used when the SMA is internal only. The certificate must be installed on the clients to work.
- Intermediate (chained) certificate – This is a certificate that is used to validate an Intermediate Certificate Authority with a Root Certificate Authority.
- UCC certificate – This is a certificate that can be used on a number of servers, web server name must match one of the names on the certificate.
- Unlimited Subdomain (Wildcard) certificate – This is a certificate that can be used on any number of systems on a domain, web server name's domain must match the domain listed on the certificate. (i.e. "sma.test.com" for "*.test.com" cert)
- Self-signed certificate – A certificate that is generated and signed by its own creator.
- Root CA Certificate - As of this moment, this certificate type is not compatible with the SMA. Where possible, add the SMA to the exception list to not require Root certificates.
- Let's Encrypt Certificate - As of version 13.0, these are now integrated into the SMA. More info here
