We use an internal Certificate Authority for our internal-only servers (which don't have publicly-addressable DNS names, therefore we can't use standard certificates). Our WHD instance is one such internal-only server. Our internal documentation for updating the SSL certificate for Web Help Desk seems to be missing a step, however, because WHD is refusing to accept the .p12 certificate that is generated as a result. Can someone tell me what I might be doing wrong? We have a "createServerCert" shell script that we use to generate .crt files for our internal servers using our internal Certificate Authority.
Our documentation steps are below (scrubbed of identifying information). The InternalTLD is our internal DNS domain, which is not resolvable outside our network.
1) Generate a new CSR:
cd <path to CA directory>
openssl req -new -passout pass:"changeit" -subj "/C=US/ST=[State]/L=[City]/OU=[Org]/CN=webhelpdesk.[internalTLD]/emailAddress=support@[Email domain]" -out webhelpdesk.[InternalTLD].csr -newkey rsa:2048 -keyout webhelpdesk.[InternalTLD].key
2) Generate new certificate using CA:
./createServerCert.sh webhelpdesk.[InternalTLD]
<enter CA.key password when prompted>
3) Generate Certificate Chain:
cat webhelpdesk.[InternalTLD].crt CA.pem > ~/Desktop/cert-chain.txt
4) Generate PKCS12:
openssl pkcs12 -export -in ~/Desktop/cert-chain.txt -inkey webhelpdesk.[InternalTLD].key -name 'tomcat' -out webhelpdesk.[InternalTLD].p12
4a) Upload webhelpdesk.[InternalTLD].p12 certificate to Setup -> General -> Certificates, enter the export password from step 4 when prompted.
When I go to Setup -> General -> Certificates and upload the certificate, I get an error that says "Web Help Desk could not read the file. Please try again." I can open the .p12 file just fine with Portecle, so the .p12 file itself seems valid and correct. I don't know why WHD is refusing to accept it.
