Create a self-signed certificate for an Agent Client Collector (ACC) plugin and verify the signature to enable validation of the signed plugin on endpoint devices.
Before you begin
- Create the ACC plugin tar.gz file on your local computer.
- Make sure that OpenSSL is installed on your local computer.
Role required: admin
Procedure
-
Generate a 2048-bit RSA key and a corresponding self-signed certificate with one year validity by using the following command:
openssl req -nodes -x509 -sha256 -newkey rsa:2048 -keyout "sign.key" -out "sign.crt" -days 365 -subj "/C=IN/ST=TG/L=HYD/O=servicenow/OU=acme/CN=sign"
This command creates a private key (sign.key) and a public certificate (sign.crt).
-
Sign the plugin file with your private key.
openssl dgst -sha256 -sign "sign.key" -out sign.txt.sha256 plugin name.tar.gz
-
Extract the public key from the certificate for signature verification.
openssl x509 -in "sign.crt" -pubkey -noout > pubkey.pem
-
Verify the signature using the public key to confirm the file was signed correctly.
openssl dgst -sha256 -verify pubkey.pem -signature sign.txt.sha256 plugin name.tar.g
-
Encode the signature file using Base64 to enable the ACC agent to validate the plugin.
-
Create a directory to store the signed plugin.
-
Move the plugin archive and signature file to the new directory.
mv plugin name.tar.gz signed-plugin/
mv sign.txt.sha256_encode64.sig signed-plugin/
-
Navigate to the new directory.
-
Create a tar.gz file containing both the plugin archive and the signature file.
tar -C . -zcvf ../sign-test.tar.gz *
-
Copy and place the self-signed certificate (sign.crt) in the certificate directory ([agent_root]/cert) of the ACC agent using one of the following options:
- Copy the file manually.
- Distribute the certificate to agent devices using a device management utility such as Jamf or Microsoft Intune.
-
Add the certificate to the agent trust store.
-
Upload the signed ACC plugin to the ServiceNow instance.