Generating the Administrator’s certificate for signing WAPT packages

Introduction

Naming conventions

  • name of the private key: wapt-private.pem;
  • public certificate signed with private key: wapt-private.crt;

Private key wapt-private.pem

Attention

The wapt-private.pem file is fundamental for security. It must be stored in a safe place and correctly protected.

The wapt-private.pem file is the private key, it is located by default in the C:\private folder of the Administrator workstation.

For better security this private key may be transfered on an external storage. A smartcard support is in the roadmap.

This private key will be used along with the certificate to sign packages before uploading them onto the WAPT repository.

public certificate signed with private key: wapt-private.crt

The wapt-private.crt file is the public certificate that is used along with the private key. It is by default created in the C:\private folder, copied in C:\Program Files (x86)\wapt\ssl of the Administrator and deployed on the desktops managed by the Administrator via WAPT agent or a GPO.

This certificate is used to validate the signature of packages before installation.

Creating a certificate

In the WAPT console go to Tools ‣ Create a certificate;

Creating a self-signed certificate

Creating a self-signed certificate

Creating a certificate - WAPT Community

  • fill in the following fields:
Creating a self-signed certificate

Creating a self-signed certificate

  • click on OK to go on to the next step;

Required informations are:

  • Destination folder: folder where the private key and the public certificate will be stored: required;
  • Name of the private key: name of the .pem and Name of the private key;
  • Private key password: password for locking and unlocking the key: required;
  • Private key password: password for locking and unlocking the key: required;
  • Common Name (CN): name of the Administrator: required;
  • Certificate name: name of the .crt certificate: required;
  • Additional informations: additional details stored in the private key. These informations will help with identifying the origin of the WAPT package: optional;

For a fresh install, you can follow the screenshot below.

Hint

The password complexity must comply with your Organization’s security requirements (eg. ANSSI passwords recommendations).

Danger

  • the path to your private key must not be in the installation path of WAPT (C:\Program Files (x86)\wapt);
  • if your key is stored in C:\Program Files (x86)\wapt, your Administrator private key will be deployed on your clients, absolutely a no go!
Confirmation of the copy of the certificate in the ssl folder

Confirmation of the copy of the certificate in the ssl folder

  • click on Yes to copy the newly generated certificate in the C:\Program Files (x86)\wapt\ssl folder. This certificate will be picked up during the compilation of the WAPT agent and deployed on the client computers.

If everything has gone well the following message will appear:

Certificate generated successfully

Certificate generated successfully

  • click on OK to go on to the next step;

You may go on to the next step and configure your WAPT console!!

Creating a certificate - WAPT Enterprise

With WAPT Enterprise, you can create a Master key with a Certificate Authority flag that can both sign packages and sign new certificates.

Hint

In order to create new signed certificates for delegated, please refer to Differentiating the role level in WAPT.

Creating a self-signed certificate

Creating a self-signed certificate

Required informations are:

  • Destination folder: folder where the private key and the public certificate will be stored: required;
  • Name of the private key: name of the .pem and Name of the private key: name of the .pem and .crt files: required;
  • Private key password: password for locking and unlocking the key: required;
  • Common Name (CN): name of the Administrator: required;
  • Certificate name: name of the .crt certificate: required;
  • Code signing: check this box if the certificate/ key pair will be allowed to sign software packages: required;
  • CA certificate: check this box if this certificate can be used to sign other certificates (main or intermediate Certificate Authority): required;
  • Additional informations: additional details stored in the private key. These informations will help with identifying the origin of the WAPT package: optional;

Hint

The password complexity must comply with your Organization’s security requirements (eg. ANSSI passwords recommendations).

Note

If your Organization is already equipped with an Certificate Authority (CA), you will have to fill the certificate and the key in the fields CA Certificate et CA Key.

With this procedure you can generate new certificate/ key pairs with or without Code Signing capability.

Danger

  • the path to your private key must not be in the installation path of WAPT (C:\Program Files (x86)\wapt );
  • if your key is stored in C:\Program Files (x86)\wapt , your Administrator private key will be deployed on your clients, absolutely a no go!
Confirmation of the copy of the certificate in the ssl folder

Confirmation of the copy of the certificate in the ssl folder

  • click on Yes to copy the newly generated certificate in the C:\Program Files (x86)\wapt\ssl folder. This certificate will be picked up during the compilation of the WAPT agent and deployed on the client computers;

If everything has gone well the following message will appear:

Certificate generated successfully

Certificate generated successfully

  • click on OK to go on to the next step;

You may go on to the next step and configure your WAPT console.