I am trying to replace the certificate used by WHD with a SHA2 certificate from our internal Windows PKI. This will replace the existing SHA1 certificate that is working fine. The new SHA2 certificate loads with no issues in Portacle. I have also loaded the corresponding root CA certificate and issuing CA certificates.
When I go to start WHD, I get the error shown in the image below (Certificates does not conform to algorithm constraints). I have spoken to Tech Support (Case # 1033397) and they say I am getting the error because the certificate needs to meet the following requirements: RSA 2048 bit key strength and SHA-2 algorithm.
I have Microsoft engaged on the case. They helped me generate and export the certificate and Microsoft has verified the certificate supports those requirements. Any suggestions? I have been trying to get this cert loaded for about a month now.
I don't have any advice on the specific error, but no doubt certificates in WHD can be a pain.
If you click the https, can you show look at the cert it is loaded and see what the cert looks like? Make sure it matches the listing in Portecle. I'd be willing to help in more detail, but we need some more information I think as to what steps you've taken to make it this far because something obviously went haywire.
Thank you for offering to help.
I used the WHD SSL guide and followed the steps below. The steps below worked fine for importing the *.PFX file. I checked the cert and everything looks to match fine with Portacle.
Exporting a PKCS#12 Keystore File from Microsoft Management Console
To use an existing certificate located on a Windows server, complete the following steps:
1. Click Start > Run… and execute the command mmc. A Microsoft Management Console
window will open.
2. Select Console > Add/Remove Snap-In.
3. Select Add > Certificates > Add > Computer Account > Local Computer > Finish.
4. Expand Console Root > Certificates > Personal. You should see your certificate listed.
5. Right-click your certificate and select All Tasks > Export.
6. Follow the Certificate Export Wizard prompts to export a Personal Information Exchange –
PKCS #12 (.PFX) file.
7. Check the option to Include all certificates in the certification path if possible, and do not
check the options to Enable strong protection and to Delete the private key if the export is
successful. Take note of the location in which you save the .pfx file.
8. Import it into Porteclé using the instructions below.
Importing a PKCS#12 File into the Web Help Desk Keystore
The second method is to open the Web Help Desk keystore file and then import the keypair containing
your certificate, using Tools > Import Keypair….. Porteclé prompts you to select which keypair in your
PKCS#12 keystore to import.
If your keystore already contains a default, unsigned ‘tomcat’ certificate, delete it before importing your
Be sure that your certificate chain is intact in the Web Help Desk keystore. You can inspect the certificate
chain by double-clicking the certificate to view the certificate details. Use the left and right arrows at the
top of the details panel to navigate through each certificate in the chain.
If you do not see the full certificate chain, try importing the CA certificates first in Tools > Import Trusted
Certificate…, and then import your keypair again. Porteclé does not establish trust when a certificate is
imported before the certificate that was used to sign it.
10 Using SSL Certificates in Web Help Desk
Sequence is important. Import the root certificate first, then the next certificate in the chain, and so on,
until you get to your own certificate.
Your certificate must be aliased as tomcat. The password for your certificate and for the keystore itself
must be the same, and must match the KEYSTORE_PASSWORD setting in
/conf/whd.conf ("changeit" by default).
Can I offer a slightly different set of instructions? This is the guide I created myself when I ran into issues following the documentation WHD provides. A few steps may be slightly different, but it hasn't failed me
Thanks again. I appreciate the documentation. However, I also tried the method you outlined in your documentation. I originally tried to generate a CSR and then import the reply. But, noluck.
I believe Solarwinds is going to escalate the case. I will post an update if there is a fix. Should it help someone else who runs into the same issue.
The directions in the help instruct how to use a jks keystore which I never figured out how to include the private key so I used the other supported method of PKCS.
Using openssl (from the WHD vm) to create a private.key and server.csr and then signing with the PKI and adding it to the keystore_new.jks - failed for me as you noted above….
The signed PKI file I was using was a 'base 64' certificate which we will say was saved as "signed.cer"
NOTE: Using original private.key and signed.cer from pki in original steps.
CONVERT TO PKCS12 certificate
sudo openssl pkcs12 –export –in </signed.cer> –inkey </private.key> –name ‘tomcat’ –out keystore.p12
It will ask you for an export password.
This creates a keystore.p12 in your working directory -presumably /usr/local/webhelpdesk/keystore.p12
Now just change your whd.conf to point at the new keystore and format:
sudo vi ./conf/whd.conf
“i” to Insert/Edit and change the following Fields:
3) Stop tomcat and start.
sudo ./whd stop
sudo ./whd start
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.