• State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 24 subscribers
  • Views 946 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Installing Windows Internal PKI Certificate in WHD

mduser

I am trying to replace the certificate used by WHD with a SHA2 certificate from our internal Windows PKI.  This will replace the existing SHA1 certificate that is working fine.  The new SHA2 certificate loads with no issues in Portacle.  I have also loaded the corresponding root CA certificate and issuing CA certificates.

When I go to start WHD, I get the error shown in the image below (Certificates does not conform to algorithm constraints).  I have spoken to Tech Support (Case # 1033397) and they say I am getting the error because the certificate needs to meet the following requirementsRSA 2048 bit key strength and SHA-2 algorithm.

I have Microsoft engaged on the case.  They helped me generate and export the certificate and Microsoft has verified the certificate supports those requirements.  Any suggestions?  I have been trying to get this cert loaded for about a month now.

error.jpg

  • 0

    I don't have any advice on the specific error, but no doubt certificates in WHD can be a pain.

    If you click the https, can you show look at the cert it is loaded and see what the cert looks like?  Make sure it matches the listing in Portecle.  I'd be willing to help in more detail, but we need some more information I think as to what steps you've taken to make it this far because something obviously went haywire.

  • 0 in reply to matt8

    Thank you for offering to help.

    I used the WHD SSL guide and followed the steps below.  The steps below worked fine for importing the *.PFX file.  I checked the cert and everything looks to match fine with Portacle.

    Exporting a PKCS#12 Keystore File from Microsoft Management Console

    To use an existing certificate located on a Windows server, complete the following steps:

    1. Click Start > Run… and execute the command mmc. A Microsoft Management Console

    window will open.

    2. Select Console > Add/Remove Snap-In.

    3. Select Add > Certificates > Add > Computer Account > Local Computer > Finish.

    4. Expand Console Root > Certificates > Personal. You should see your certificate listed.

    5. Right-click your certificate and select All Tasks > Export.

    6. Follow the Certificate Export Wizard prompts to export a Personal Information Exchange –

    PKCS #12 (.PFX) file.

    7. Check the option to Include all certificates in the certification path if possible, and do not

    check the options to Enable strong protection and to Delete the private key if the export is

    successful. Take note of the location in which you save the .pfx file.

    8. Import it into Porteclé using the instructions below.

    Importing a PKCS#12 File into the Web Help Desk Keystore


    The second method is to open the Web Help Desk keystore file and then import the keypair containing
    your certificate, using Tools > Import Keypair….. Porteclé prompts you to select which keypair in your
    PKCS#12 keystore to import.
    If your keystore already contains a default, unsigned ‘tomcat’ certificate, delete it before importing your
    PKCS#12 file.
    Be sure that your certificate chain is intact in the Web Help Desk keystore. You can inspect the certificate
    chain by double-clicking the certificate to view the certificate details. Use the left and right arrows at the
    top of the details panel to navigate through each certificate in the chain.
    If you do not see the full certificate chain, try importing the CA certificates first in Tools > Import Trusted
    Certificate…, and then import your keypair again. Porteclé does not establish trust when a certificate is
    imported before the certificate that was used to sign it.
    10 Using SSL Certificates in Web Help Desk
    Sequence is important. Import the root certificate first, then the next certificate in the chain, and so on,
    until you get to your own certificate.
    Your certificate must be aliased as tomcat. The password for your certificate and for the keystore itself
    must be the same, and must match the KEYSTORE_PASSWORD setting in
    /conf/whd.conf ("changeit" by default).

  • 0 in reply to mduser

    Can I offer a slightly different set of instructions?  This is the guide I created myself when I ran into issues following the documentation WHD provides.  A few steps may be slightly different, but it hasn't failed me

    WebHelpDesk+-+Certificate+Replacement

  • 0 in reply to matt8

    Thanks again.  I appreciate the documentation.  However, I also tried the method you outlined in your documentation.  I originally tried to generate a CSR and then import the reply.  But, noluck.

    I believe Solarwinds is going to escalate the case.  I will post an update if there is a fix.  Should it help someone else who runs into the same issue.

  • 0 in reply to mduser

    Bummer - sorry it did not help

  • 0 in reply to mduser

    I am having the exact same issue. Did this ever get resolved?

  • 0 in reply to dabeaj

    The directions in the help instruct how to use a jks keystore which I never figured out how to include the private key so I used the other supported method of PKCS.

    Using openssl (from the WHD vm) to create a private.key and server.csr and then signing with the PKI and adding it to the keystore_new.jks - failed for me as you noted above….

    The signed PKI file I was using was a 'base 64' certificate which we will say was saved as "signed.cer"

    FIX:

    NOTE: Using original private.key and signed.cer from pki in original steps.

    1)

    CONVERT TO PKCS12 certificate

    sudo openssl pkcs12 –export –in </signed.cer> –inkey </private.key> –name ‘tomcat’ –out keystore.p12

    It will ask you for an export password.

    This creates a keystore.p12 in your working directory -presumably /usr/local/webhelpdesk/keystore.p12

    2)

    Now just change your whd.conf to point at the new keystore and format:

    sudo vi ./conf/whd.conf

    “i” to Insert/Edit and change the following Fields:

    KEYSTORE_PASSWORD=<export password>
    KEYSTORE_FILE=/usr.local/webhelpdesk/keystore.p12

    KEYSTORE_TYPE=PKCS12

    3) Stop tomcat and start.

    sudo ./whd stop

    sudo ./whd start

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.