How To Enable Self-Signed Support for Dell Manager in Dell Encryption
Summary: This article provides information about how to configure Dell Encryption (Formerly Dell Data Protection | Encryption) to disable the chain checking of the certificate.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Symptoms
Affected Products:
- Dell Encryption
- Dell Data Protection | Encryption
Dell Encryption software uses a Self-Signed Certificate for its Java-based components. Self-Signed Certificates are not required to implement Dell Encryption to the network.
Cause
Not Applicable
Resolution
Information about Self-Signed Certificate
We recommend a self-signed certificate only in a non-production environment. If your organization requires an SSL server certificate, or you must create a certificate for other reasons, see the Dell Data Protection | Edition Enterprise Installation and Migration Guide section on "Create a Self-Signed Certificate Using Keytool and Generate a Certificate Signing Request" that section describes the process to create a java keystore using the Keytool.
Note: The Device Manager(DM)certificate is used to sign the policy bundle being sent to the DM.
Server Configuration to allow Self-Signed Dell Manager Certificates
- Stop the Dell Core and Dell Compatibility Server Services.
- Open the Certificates Management Console for the Local Computer and export the self-signed certificate to a PFX file.
Note: The certificate to export is in the Local Computer\Personal\Certificates keystore in the MMC.
- Open the Server Configuration Tool.
- Click the Settings Tab and Check Disable Trust Chain Check.
Note: Disabling this trust chain check is to disable the check before signing of the policy bundle. This is not related to SSL.
- Click Actions > Import DM Certificate then proceed through the wizard to locate the PFX file you created in step 2 and import it into the database.
- You may have to test the database configuration for this option to be usable.
Note: In previous versions of the Dell Data Protection Server, if a certificate that was bad (for example, not having a private key available), then the new certificates would be inserted into the database table SigningCertificate, and the original row would be kept. This would cause issues because the Core Server would begin at the first row and then traverse the table, running into the bad certificate again. In the later versions of the Dell Data Protection Server, the row is replaced, eliminating the issue of encountering the bad certificate.
- Restart the Dell Core, Compatibility, and Security Server Services.
Client Configuration to allow Self-Signed Certificates
Warning: The next step is a Windows Registry edit:
- Backup the Registry before proceeding, reference How to Back Up and Restore the Registry in Windows
.
- Editing the Registry can cause the computer to become unresponsive on the next reboot.
- Contact Dell Data Security International Support Phone Numbers for assistance if you have concerns about performing this step.
- Open the Registry as an administrator.
- Go to the:
HKLM\System\CurrentControlSet\Services\DellMgmtAgent\Parameters\ Location
- Create a DWORD32 Value called DisableSSLCertTrust.
- Once the value is created set it to a value of 1
- Restart the client.
Note:
- Testing of a DM policy update should be performed to verify that the certificate is in place and policies are being sent, and received by the endpoint correctly.
- With regards to the Domain Signed Certificate Templates, we must duplicate the default Web Server certificate. Below are two links to articles created Microsoft and they detail the steps to perform this task, which any Certificate Authority Administrator can do.
Create a New Certificate Template
Once you duplicate the template, choose the request handling tab of the duplicate template and enable the private key to be exported.
Request Handling
Once these steps have been completed, you can now publish the certificate, and once the certificate has been published it should be available to be requested.
To contact support, reference Dell Data Security International Support Phone Numbers.
Go to TechDirect to generate a technical support request online.
For additional insights and resources, join the Dell Security Community Forum.
Affected Products
Dell EncryptionArticle Properties
Article Number: 000130924
Article Type: Solution
Last Modified: 05 Mar 2024
Version: 9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.