How can we improve the SMA (K1000)?

SSL Certificate

Would like to request the ability to upload certificates for the use of SSL. It would be helpful to have this feature added under the K1000 Agent Settings section. This way after the certificate has been uploaded, all clients would be able to obtain it instead of manually placing the certificate it on every client machine that has been inventoried.

5 votes
Vote
Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
You have left! (?) (thinking…)
K2000 shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

3 comments

Sign in
(thinking…)
Sign in with: Facebook Google
Signed in as (Sign out)
Submitting...
  • Michael Galhouse commented  ·   ·  Flag as inappropriate

    Since version 7 operates over port 443, this problem is now much more serious. According to this article, the agents only support CAs that are listed in an internal file that's distributed with the agent on install.

    https://support.quest.com/kace-systems-management-appliance/kb/128111

    If your cert is signed by a private authority, which is not in this list, you will be unable to re-enable verify SSL until this is fixed.

    SSL will continue to work for encryption, but the initial verification of the certificate won't happen. The product should be able to handle either adding a custom trusted CA or using the OS's trusted CA list.

  • Joseph Rehling commented  ·   ·  Flag as inappropriate

    I agree with this request. There needs to be a way to push out the root certificate as a trusted CA. Kace seems to think that everyone should be using public Certificate authorities, but standing up an internal CA is another common option. With Windows systems I can push out the new trusted root CA through group policy, but pushing to MACs is proving to be a lot more difficult.

  • Jim Scheirer commented  ·   ·  Flag as inappropriate

    I assume you referring to self-signed certificates, because clients shouldn't need to download a ssl cert if it's purchased from a CA. Especially with support for intermediate certificates, I can't see where a single browser out there would need to download a cert unless it's self-signed. Plus the K1000 can already create it's own self signed certs, I would assume what you would want to do is automatically place the installable client cert somewhere that it can be d/l and installed by the use. That actually work be nice in the case you have the box create self-signed one.

Feedback and Knowledge Base