7 Replies Latest reply on Mar 29, 2017 4:11 PM by dabeaj

    Installing Windows Internal PKI Certificate in WHD


      I am trying to replace the certificate used by WHD with a SHA2 certificate from our internal Windows PKI.  This will replace the existing SHA1 certificate that is working fine.  The new SHA2 certificate loads with no issues in Portacle.  I have also loaded the corresponding root CA certificate and issuing CA certificates.


      When I go to start WHD, I get the error shown in the image below (Certificates does not conform to algorithm constraints).  I have spoken to Tech Support (Case # 1033397) and they say I am getting the error because the certificate needs to meet the following requirementsRSA 2048 bit key strength and SHA-2 algorithm.


      I have Microsoft engaged on the case.  They helped me generate and export the certificate and Microsoft has verified the certificate supports those requirements.  Any suggestions?  I have been trying to get this cert loaded for about a month now.


        • Re: Installing Windows Internal PKI Certificate in WHD

          I don't have any advice on the specific error, but no doubt certificates in WHD can be a pain.


          If you click the https, can you show look at the cert it is loaded and see what the cert looks like?  Make sure it matches the listing in Portecle.  I'd be willing to help in more detail, but we need some more information I think as to what steps you've taken to make it this far because something obviously went haywire.

            • Re: Installing Windows Internal PKI Certificate in WHD

              Thank you for offering to help.


              I used the WHD SSL guide and followed the steps below.  The steps below worked fine for importing the *.PFX file.  I checked the cert and everything looks to match fine with Portacle.


              Exporting a PKCS#12 Keystore File from Microsoft Management Console

              To use an existing certificate located on a Windows server, complete the following steps:

              1. Click Start > Run… and execute the command mmc. A Microsoft Management Console

              window will open.

              2. Select Console > Add/Remove Snap-In.

              3. Select Add > Certificates > Add > Computer Account > Local Computer > Finish.

              4. Expand Console Root > Certificates > Personal. You should see your certificate listed.

              5. Right-click your certificate and select All Tasks > Export.

              6. Follow the Certificate Export Wizard prompts to export a Personal Information Exchange –

              PKCS #12 (.PFX) file.

              7. Check the option to Include all certificates in the certification path if possible, and do not

              check the options to Enable strong protection and to Delete the private key if the export is

              successful. Take note of the location in which you save the .pfx file.

              8. Import it into Porteclé using the instructions below.


              Importing a PKCS#12 File into the Web Help Desk Keystore

              The second method is to open the Web Help Desk keystore file and then import the keypair containing
              your certificate, using Tools > Import Keypair….. Porteclé prompts you to select which keypair in your
              PKCS#12 keystore to import.
              If your keystore already contains a default, unsigned ‘tomcat’ certificate, delete it before importing your
              PKCS#12 file.
              Be sure that your certificate chain is intact in the Web Help Desk keystore. You can inspect the certificate
              chain by double-clicking the certificate to view the certificate details. Use the left and right arrows at the
              top of the details panel to navigate through each certificate in the chain.
              If you do not see the full certificate chain, try importing the CA certificates first in Tools > Import Trusted
              Certificate…, and then import your keypair again. Porteclé does not establish trust when a certificate is
              imported before the certificate that was used to sign it.
              10 Using SSL Certificates in Web Help Desk
              Sequence is important. Import the root certificate first, then the next certificate in the chain, and so on,
              until you get to your own certificate.
              Your certificate must be aliased as tomcat. The password for your certificate and for the keystore itself
              must be the same, and must match the KEYSTORE_PASSWORD setting in
              /conf/whd.conf ("changeit" by default).