BMC Discovery uses self signed certificates to encrypt communication between system components (appliances, windows proxies).
I don't refer to certificates used to encrypt the communication between discovery and target systems nor discovery and end users.
According to Docs the secure communication between elements of the system use CORBA over TLS (Transport Layer Security) with the following details:
- Protocol: TLSv1.2
- Encryption: AES_256_CBC
- Message hashing: SHA-256
- Key Exchange: DHE_RSA (2048)
The certificates are valid for a period of 10 years.
Because of security policies the customer has to reduce the validity period (max. 2 years) or increase the key size (min. 4096 bits).
Allowing configurable key parameters enables the customer to meet the security requirements.
I suggest to make the key generation configurable, like it is possible for HTTPS certificates
In this case the attributes of interest are the RSA key length and certificate validity period, which could look like this:
Additionally it could be necessary to change the Encrpytion or Key Exchange Algorithm.
The dialog could be implemented on the Appliance Certificates page.