Client Management: SSL certificate warnings may be displayed when accessing the Client Management web interface pages (Windows)

Version 6
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    BMC Client Management


    Client Management


    BMC Client Management (all versions) + WIndows OS


    When I access to MyApps a warning is displayed or any other page related to the agent web interface. To access to the pages, I have to click on "Advanced..." then "Accept the Risk and Continue":

    User-added image

    Should I be worried?


    The Client Management Certificate Authority certificate has not been installed for the devices.


    This is being displayed because this certificate is unknown to the system as of now. This is resolved by importing the certificate from the C:\Program Files\BMC Software\Client Management\Master\bin\certs\auth\_CHECKSUM_\BCM.crt. More information here: Client Management: How to identify the certificate authority trusted by the master

    1- Windows:

    Method A: Manual Certificate Import

    1. Open the folder C:\Program Files\BMC Software\Client Management\Master\bin\certs\auth\<checksum>\BCM.crt. More information here: Client Management: How to identify the certificate authority trusted by the master
    3. Right click on the certificate and select "Install Certificate"
    5. Choose Local Machine in the import dialog and select NEXT
    7. Choose Place all Certification in the following store then browse and select -> Trusted Root Certification Authorities.
    9. Close then reopen the browser and browse to the agent web interface
    11. Make sure the error is not displayed anymore
    More information on using the certificate import wizard is available from Microsoft, and for the purposes of this article, steps 5 through 9 from   this TechNet blog post can be followed. 

    Method B: Using MMC snap-in  
    1. Run the following command line: "mmc"
    3. Add snap-ins from File > Add/Remove Snap-in > Certificates > Local computer and Users
    5. Go to Certificates > Trusted Root Certification Authority > certificates > Right click > All Tasks > Imports > From C:/Program Files/BMC Software/Client Management/Client /bin/certs/auth 
    7. Click on Data Modified (Choose latest date folder) and choose the .crt file to import. Click Yes.
    9. Run gpupdate /force as an administrator
    11. Close then reopen the browser and browse to the agent web interface
    13. Make sure the error is not displayed anymore

    Method C: GPO 

    The best method, if a domain is available, is to distribute certificates to computers through a GPO.  
    1. Make sure that the Active directory does have Active Directory Certificate Services installed.
    3. Click Start, point to Administrative Tools, and then click Group Policy Management.
    5. Then:     
      1. Find an existing Group Policy object (GPO) or create a new GPO to contain the certificate settings. Ensure that the GPO is associated with the domain, site, or organizational unit (OU) where the appropriate user and computer accounts reside.
      3. Right-click the GPO, and then click Edit.
      5. In the console tree, open Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies, right-click Trusted Root Certification Authorities, and then click Import.
      7. On the Welcome to the Certificate Import Wizard page, click Next.
      9. On the File to Import page, type the path to the appropriate certificate files (for example, our bcm file From C:\Program Files\BMC Software\Client Management\Master\bin\certs\auth\<checksum>\BCM.crt.The correct cert to import may vary and should be verified by reviewing the definition of CertsAuth= in the \Master\config\mtxagent.ini file. More information here: How to identify the authorities trusted by the master
      11. On the Certificate Store page, click Place all certificates in the following store, and then click Next.
      13. On the Completing the Certificate Import Wizard page, verify that the information provided is accurate, and then click Finish.
      15. Run gpupdate /force as an administrator
      17. Close then reopen the browser and browse to the agent web interface
      19. Make sure the error is not displayed anymore
    Method D: Through a package:  
      D1 - Windows 
      This method can be used if the devices are not in a domain:  
    - create a package on a windows based package factory  
    - add the .crt to the package  
    - in the tab "Configuration" set: 
      - Overwrite: Yes Yes No Yes 
      - Destination: set the path to copy the .cert to first 
      - do not set anything else 
      - publish the package  
    - create an operational rule  
    - add the package to it  
    - add the step "Execute Program" and set it to run the following command line: 
      certutil -addstore Root    _PATH_TO_CERT_.crt 
      Where    _PATH_TO_CERT_.crt   must be replaced by the path to which the crt has been copied by the package, e.g C:/temp/bcm.crt, as per set into the Destination field of the package for this example. 
      - assign the operational rule to a test device  
    - Close then reopen the browser and browse to the agent web interface  
    - Make sure the error is not displayed anymore 
      D2 - linux  
      - create a package on a mac os based package factory  
    - follow the exact same steps than in D1 but the part on the command line  
    - set the command line in the step "Execute Program" to: 
      security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "CertFile.crt" 
    Note: to learn more about certificates in BCM, refer to this KA:    Client Management: About SSL certificates


    Article Number:


    Article Type:

    Solutions to a Product Problem

      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles