Summary:  Helpful information when considering implementing SSL with the K1000 appliance

SSL GUIDE FOR THE K1000

All you need for a certificate to work is:

1. The certificate itself.

2. The private key the certificate signing request (CSR) was generated with.

3. Any applicable intermediate certificates (most signing authorities like GoDaddy require this now). See Appendix A for more information on intermediate certificates.

Before you generate the certificate, it's important to do the following:

1. Ensure the K1000's web server name has the same domain name suffix as specified in the domain field in System > Settings > Network Settings (i.e. web server name is support.kace.com and domain name is kace.com)

2. Ensure the K1000's web server name is resolvable by all DNS servers that the clients will use. For example, if I have agents inside the network and others on the internet can they both resolve the K1000’s web server name?

3. Ensure that the signing authority used to create the certificate (i.e. GoDaddy) exists as a trusted root on their client machines? If you open the certificate manager (certmgr.msc on windows) do you see that authority listed under “Trusted Root Certification Authorities\Certificates”?

4. Did you complete the Certificate Signing Request (CSR) at Settings > Security Settings > Certificate Wizard? (This will generate a 1024-bit CSR. If you need a 2048-CSR, please see Appendix B for instructions.)

• Did you copy and paste your private key from the KBOX Certificate Wizard as private.key?

5. Did the certificate authority accept the CSR and give you back an Apache x509 certificate, which is PEM base 64 encoded? Open the certificate in notepad and it should be a key encoded between these lines: "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

6. Did you save and rename your certificate as KBOX.crt?

7. Do the checksums of your crt and private key match? Install the OpenSSL toolkit and run these commands:

• openssl x509 -noout -modulus -in KBOX.crt | openssl md5
• openssl rsa -noout -modulus -in private.key | openssl md5

FOR THE SAKE OF SIMPLICITY, LET’S JUST RENAME THE CERTIFICATE TO KBOX.CRT, THE PRIVATE KEY FILE TO PRIVATE.KEY, AND THE INTERMEDIATE CERTIFICATE TO INTERMEDIATE.CRT.

Before you apply the certificate, it's important to do the following:

1. Review this KB article: http://www.kace.com/support/kb/index.php?action=artikel&cat=6&id=833&artlang=en

2. Ensure the K1000 is running 5.2 or later, although you can still use 5.1 if an intermediate certificate is not required.

3. Ensure that all of the client agents are 5.1 or newer.

4. Take your backups off the KBOX. Use FTP if they are more than 2 GB: http://www.kace.com/support/kb/index.php?action=artikel&cat=1&id=515&artlang=en

5. Enable SSH on the K1000 (System > Settings > Security > Enable SSH). This will require a reboot!

6. Download Putty: ftp.chiark.greenend.org.uk/users/sgtatham/putty-latest/x86/putty.exe

7. Open Putty and put the K1000 host name or IP address in the host name field, leave the port at 22 and hit open. It may prompt you to allow a key, allow it. It should then bring you to a "login as:" prompt. If not, then there may be something like a firewall blocking the port or security software that is not allowing the connection.

To apply the certificate:

1. Go to System > Settings > Security

2. Check the box for Enable port 80 access

3. Check the box for SSL Enabled on port 443

4. Confirm the box for port redirection, “Forward port 80 to port 443,” is UNCHECKED. You can change this after you confirm that the certificate works.

5. Upload the private.key

6. Upload the KBOX.crt

7. If you require an intermediate then check the Use Intermediate SSL Certificate box and upload intermediate.crt

8. Once you save your changes, the K1000 will reboot.

9. When it comes back up, try accessing https://kbox/admin

     a. If you get a web page and don’t get a security exception, the certificate took properly. It would be a good practice to monitor your agents for a bit, if nothing looks off, enable port redirection if desired.

     b. If you get a web page and a security exception and

         i. have agents OLDER than 5.1, then disable SSL as quickly as you can or your agents will be orphaned

         ii. all agents are 5.1+ then your certificate did not take (possibly self-signed? missing intermediate?) and the agents will not be able to check in until you install a valid certificate.

Common Issues:

1. Clients do not check in after SSL is enabled.

     a. Ensure that the SMMP.conf/amp.conf files match the host name listed on the SSL certificate, which should also match the web server name in the K1000’s network settings.

     b. Check on the client systems and ensure that the signing authority used to create the certificate exists as a trusted root on their client machines. If you open the certificate manager (certmgr.msc on windows) do you see that authority listed under “Trusted Root Certification Authorities\Certificates”? Some customers might have an internal authority listed here which is fine if all their agents are going to be on the domain and have this authority manually installed.

2. HTTP works, but HTTPS does not.

     a. Ensure port 443 is open, especially when the K1000 is in a DMZ.

     b. Customer did not include an intermediate certificate when it is required. See Appendix A for a screenshot, just double click the KBOX.crt file and click on the certification path tab. If it has 3 levels, then it usually needs an intermediate certificate. If there are only 2 levels, you should be good.

     c. Ensure that the checksums of your crt and private key match. Install the OpenSSL toolkit and run these commands:

• openssl x509 -noout -modulus -in KBOX.crt | openssl md5
• openssl rsa -noout -modulus -in private.key | openssl md5

3. Customer does not have the private key.

     a. If the K1000’s Certificate Wizard was used to generate the CSR, you can go back into the wizard, copy the private key, paste it into Notepad, and save it as private.key.

     b. If the K1000 wasn’t used to generate the CSR, the customer will need to contact whoever generated the CSR and it would be a good idea to check the checksums of the cert and private key to make sure they match (see step 2c).

4. The K1000's web interface is inaccessible after applying a certificate.

     This is likely due to enabling redirect of port 80 to 443 without testing; DO NOT POWER THE KBOX DOWN! Please contact support at 1-888-522-3638 to get assistance with this matter.

Appendix A:

Certificate Authority (CA) – This is the where your certificates are issued from, and it can be a Root or Intermediate CA.

Individual SSL Certificate – This is a certificate that can only be used for one server. The K1000’s web server name must match the name on the certificate.

Internal CA Certificate – An internal domain server is being used as a signing authority, generally used when the KBOX is internal only. The certificate must be installed on the clients to work.

Intermediate (Chained) Certificate – This is a certificate that is used to validate an Intermediate Certificate Authority with a Root Certificate Authority.

Below is  the Go Daddy Class 2 Certification Authority (Root CA) issues a certificate to the Go Daddy Secure Certification Authority (Intermediate CA), who then issues a certificate to *.kace.com. There is a chain of trust, so all of the links in the chain need to be present. This is why an intermediate certificate is required. If Go Daddy Class 2 Certification Authority issued a certificate to your server, then you wouldn’t need an intermediate because it is the Root CA.

UCC Certificate – This is a certificate that can be used on a number of servers, web server name must match one of the names on the certificate.

Unlimited Subdomain (Wildcard) Certificate – This is a certificate that can be used on any number of systems on a domain, web server name’s domain must match the domain listed on the certificate. (i.e. “KBOX.test.com” for “*.test.com” cert)

Appendix B:

Here’s where you get the OpenSSL toolkit: http://www.slproweb.com/products/Win32OpenSSL.html - please note there are separate x86 and x64 binaries. You may also need to install the Visual C++ 2008 Redistributable. You can manually generate a new 2048-bit private key and certificate request after downloading/installing the OpenSSL toolkit by running the following command:

          openssl req -nodes -newkey rsa:2048 -keyout private.key -out server.csr

You will need to put your KBOX Web Server Name (in Network Settings) as the common name for the certificate. We recommend copying the same fields in the built-in K1000 SSL Certificate Wizard.

If you get errors when running the OpenSSL commands like “Warning: can't open config file: /usr/local/ssl/openssl.cnf”, you can either ignore it or set the environmental variable for it by running this command (Just verify that the file is actually in the C:\OpenSSL-Win32\bin path before running it):

          set OPENSSL_CONF=C:\OpenSSL-Win32\bin\openssl.cfg

Here’s an example of running the commands to ensure that the private key you’re uploading matches the one in the certificate: