Applying a root certificate authority certificate to a managed computer
Before you migrate a managed computer to Cloud-enabled Management, you must ensure that the agent can communicate with Notification Server and site servers using HTTPS. To use HTTPS for communication, the agent must trust Notification Server and the site servers. If necessary, you can add the appropriate root certificate authority (CA) certificates to the Trusted Root Certificate Authorities store of the Local Computer account on the managed computer.
You can export the appropriate self-signed certificate from Notification Server. If Notification Server does not use a self-signed certificate, you need to export the root CA for the certificate chain that Notification Server uses.
To apply the exported CA certificate to a client computer, you can use a command line or Microsoft Management Console. Alternatively, you can use the Active Directory group policy to roll out the certificate or reinstall the Symantec Management Agent with automatic certificate delivery enabled.
This task is a step in the process for preparing your environment for Cloud-enabled Management.
To export a root CA certificate from Notification Server
On the Notification Server computer, start Microsoft Management Console.
Add the Certificates snap-in for the Computer account > Local Computer, and then navigate to Console Root > Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates.
Right-click the certificate authority that you want to export:
SMP <NS_Name> Agent CA
This certificate authority issues Agent certificates. Symantec Management Agents use these certificates when they communicate with Notification Server and site servers through an Internet gateway.
The Internet gateway must have this CA installed to trust the connecting clients.
SMP <NS_Name> Server CA
This certificate authority issues Server certificates. Site servers use these certificates to authenticate themselves.
When Symantec Management Agents contact the site server, they verify the server certificate.
Click All Tasks > Export.
In the Certificate Export Wizard, specify the following settings:
Select No, do not export the private key.
Select DER encoded binary X.509 (.CER).
Specify the path and name of the exported certificate file.
Click Finish, and then close the export confirmation pop-up window.
You can then take the file to a managed computer and apply the certificate manually. Alternatively you can roll the certificate out to managed computers using a Package Delivery task or an Active Directory group policy.
To manually apply a root CA certificate to a managed computer using a command line
On the appropriate managed computer, place the certificate file in the Symantec Management Agent installation folder.
The default folder is the <Install Dir>:\Program Files\Altiris\Altiris Agent folder.
Open a command prompt window and type the following command line:
To manually apply a root CA certificate to a managed computer using Microsoft Management Console
Place the certificate file in a location that is accessible from the managed computer.
On the managed computer, start Microsoft Management Console.
Add the Certificates snap-in for the Computer account > Local Computer and then open the Console Root > Certificates (Local Computer) folder.
Right-click Trusted Root Certification Authorities and then select All Tasks > Import.
In the Certificate Import Wizard, specify the path and the file name of the certificate file that you want to import.
Click Next to accept the default location and other settings, and then click Finish.
To apply a root CA certificate to managed computers by reinstalling the Symantec Management Agent
In the Symantec Management Console, on the Settings menu, click All Settings.
In the left pane, expand Agents/Plug-ins > Symantec Management Agent > Settings, and then click Symantec Management Agent Install.
On the Symantec Management Agent Install page, on the Install Agent tab, under Rollout Agent to Computers, click Settings.
In the Symantec Management Agent Installation Options dialog box, check Install Server certificate to the client machine and click OK.
On the Symantec Management Agent Install page, on the Install Agent tab, under Rollout Agent to Computers, select the computers on which to install the Symantec Management Agent, and then click Install.