Obtaining a Digital Certificate

Obtaining a Digital Certificate

A digital certificate is the digital equivalent of an ID card used with a public key encryption system. Also known as digital IDs, digital certificates are issued by trusted third parties known as Certification Authorities (CAs). This document assumes that the reader has prior knowledge of Public Key Infrastructure (PKI) and its related terminology.

For further details, refer to the Microsoft Knowledge Base article, see How to implement SSL in IIS.

There are two main considerations for deciding from where to obtain digital certificates, and what information they will contain:

  • Digital Certificate source - Internal CA, 3rd-party CA, or Self-Signed

  • Digital Certificate Common Name

Digital Certificate Source

A digital certificate must be issued from a Certificate Authority (CA), either a 3rd-party commercial CA (such as, Verisign, Thawte, Godaddy, Rapid SSL, and others), or from an internal CA. Third-party CAs sell digital certificates at prices ranging from a few dollars to a few hundred dollars per year, depending on the type of certificate issued, and other considerations, such as the CA's reputation.

However, most operating systems are preconfigured to trust a list of known 3rd-party CAs. This facilitates deployment since you do not need to import anything to the computers running the ObserveIT Agents. To avoid paying for a digital certificate, you can use an internal CA. Note that Windows Server 2008/2012 has a built-in CA that you can install and use.

In cases where an internal CA is not required, or where such a deployment cannot be achieved, you can also use a Self-Signed Digital Certificate.

For instructions on how to create a Self-Signed Digital Certificate for securing communication between the Agents and the Application Server, see Creating a Self-Signed Digital Certificate.

After a digital certificate is obtained, you must import the root CA digital certificate or the self-signed digital certificate to each client computer running the ObserveIT Agent, so that they trust your digital certificate source. For details, see Trusting a Digital Certificate.

After a digital certificate is obtained, you must import the root CA digital certificate or the self-signed digital certificate to each client computer running the ObserveIT Agent, so that they trust your digital certificate source.

Digital Certificate Common Name

  1. When issuing a digital certificate for the ObserveIT Application Server, you must make sure that the Common Name field or the Issued to field on that certificate contains the same name as the URL of the ObserveIT Application Server.

    For example, if the ObserveIT Agents use the following Fully Qualified Domain Name (or FQDN) to connect to the ObserveIT Application Server:

    server100.mydomain.local

    Then the same exact name MUST be used when issuing the digital certificate for the ObserveIT Application Server.

  2. When connecting to the ObserveIT Application Server, an IP address can be used instead of an FQDN. If the following IP address is used by the ObserveIT Agents to connect to the ObserveIT Application Server:

    192.168.200.33

    The same exact IP address MUST be used when issuing the digital certificate for the ObserveIT Application Server.

  3. at ObserveIT.ClientSetupActions.ClientInstaller.Install(IDictionary stateSaver)

  4. If you do not follow these guidelines, an error message similar to one of the following appears:

    System.Net.WebException: The underlying connection was closed: Unable to connect to the remote server.

    at ObserveIT.ClientSetupActions.RegisterServerManager.GetLicenseStatus()

    at ObserveIT.ClientSetupActions.ClientInstaller.Install(IDictionary stateSaver)

    -Or-

    System.Net.WebException: The underlying connection was closed: Could not establish trust relationship with remote server.

    at System.Net.HttpWebRequest.CheckFinalStatus()

    at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult)

    at System.Net.HttpWebRequest.GetRequestStream()

    at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)

    at ObserveIT.ClientSetupActions.Proxy.HeartBeatPrxClone.IsAlive()

    While not viewable by the ObserveIT Agent, if you manually try to connect to the ObserveIT Web Console while using an FQDN or IP address that does not match the one listed in the server's SSL digital certificate, a warning appears in the Web browser, similar to that shown in the following screenshot.

    If you click Continue to this website (not recommended), you can view the digital certificate error message (by clicking the button).