7 Replies Latest reply on Mar 29, 2017 4:11 PM by dabeaj

    Installing Windows Internal PKI Certificate in WHD

    mduser

      I am trying to replace the certificate used by WHD with a SHA2 certificate from our internal Windows PKI.  This will replace the existing SHA1 certificate that is working fine.  The new SHA2 certificate loads with no issues in Portacle.  I have also loaded the corresponding root CA certificate and issuing CA certificates.

       

      When I go to start WHD, I get the error shown in the image below (Certificates does not conform to algorithm constraints).  I have spoken to Tech Support (Case # 1033397) and they say I am getting the error because the certificate needs to meet the following requirementsRSA 2048 bit key strength and SHA-2 algorithm.

       

      I have Microsoft engaged on the case.  They helped me generate and export the certificate and Microsoft has verified the certificate supports those requirements.  Any suggestions?  I have been trying to get this cert loaded for about a month now.

      error.jpg

        • Re: Installing Windows Internal PKI Certificate in WHD
          matt8

          I don't have any advice on the specific error, but no doubt certificates in WHD can be a pain.

           

          If you click the https, can you show look at the cert it is loaded and see what the cert looks like?  Make sure it matches the listing in Portecle.  I'd be willing to help in more detail, but we need some more information I think as to what steps you've taken to make it this far because something obviously went haywire.

            • Re: Installing Windows Internal PKI Certificate in WHD
              mduser

              Thank you for offering to help.

               

              I used the WHD SSL guide and followed the steps below.  The steps below worked fine for importing the *.PFX file.  I checked the cert and everything looks to match fine with Portacle.

               

              Exporting a PKCS#12 Keystore File from Microsoft Management Console

              To use an existing certificate located on a Windows server, complete the following steps:

              1. Click Start > Run… and execute the command mmc. A Microsoft Management Console

              window will open.

              2. Select Console > Add/Remove Snap-In.

              3. Select Add > Certificates > Add > Computer Account > Local Computer > Finish.

              4. Expand Console Root > Certificates > Personal. You should see your certificate listed.

              5. Right-click your certificate and select All Tasks > Export.

              6. Follow the Certificate Export Wizard prompts to export a Personal Information Exchange –

              PKCS #12 (.PFX) file.

              7. Check the option to Include all certificates in the certification path if possible, and do not

              check the options to Enable strong protection and to Delete the private key if the export is

              successful. Take note of the location in which you save the .pfx file.

              8. Import it into Porteclé using the instructions below.

               

              Importing a PKCS#12 File into the Web Help Desk Keystore


              The second method is to open the Web Help Desk keystore file and then import the keypair containing
              your certificate, using Tools > Import Keypair….. Porteclé prompts you to select which keypair in your
              PKCS#12 keystore to import.
              If your keystore already contains a default, unsigned ‘tomcat’ certificate, delete it before importing your
              PKCS#12 file.
              Be sure that your certificate chain is intact in the Web Help Desk keystore. You can inspect the certificate
              chain by double-clicking the certificate to view the certificate details. Use the left and right arrows at the
              top of the details panel to navigate through each certificate in the chain.
              If you do not see the full certificate chain, try importing the CA certificates first in Tools > Import Trusted
              Certificate…, and then import your keypair again. Porteclé does not establish trust when a certificate is
              imported before the certificate that was used to sign it.
              10 Using SSL Certificates in Web Help Desk
              Sequence is important. Import the root certificate first, then the next certificate in the chain, and so on,
              until you get to your own certificate.
              Your certificate must be aliased as tomcat. The password for your certificate and for the keystore itself
              must be the same, and must match the KEYSTORE_PASSWORD setting in
              /conf/whd.conf ("changeit" by default).

                • Re: Installing Windows Internal PKI Certificate in WHD
                  matt8

                  Can I offer a slightly different set of instructions?  This is the guide I created myself when I ran into issues following the documentation WHD provides.  A few steps may be slightly different, but it hasn't failed me

                   

                  WebHelpDesk+-+Certificate+Replacement

                    • Re: Installing Windows Internal PKI Certificate in WHD
                      mduser

                      Thanks again.  I appreciate the documentation.  However, I also tried the method you outlined in your documentation.  I originally tried to generate a CSR and then import the reply.  But, noluck.

                       

                      I believe Solarwinds is going to escalate the case.  I will post an update if there is a fix.  Should it help someone else who runs into the same issue.

                        • Re: Installing Windows Internal PKI Certificate in WHD
                          matt8

                          Bummer - sorry it did not help

                          • Re: Installing Windows Internal PKI Certificate in WHD
                            dabeaj

                            I am having the exact same issue. Did this ever get resolved?

                              • Re: Installing Windows Internal PKI Certificate in WHD
                                dabeaj

                                The directions in the help instruct how to use a jks keystore which I never figured out how to include the private key so I used the other supported method of PKCS.

                                 

                                Using openssl (from the WHD vm) to create a private.key and server.csr and then signing with the PKI and adding it to the keystore_new.jks - failed for me as you noted above….

                                 

                                The signed PKI file I was using was a 'base 64' certificate which we will say was saved as "signed.cer"

                                FIX:

                                NOTE: Using original private.key and signed.cer from pki in original steps.

                                 

                                1)

                                CONVERT TO PKCS12 certificate

                                sudo openssl pkcs12 –export –in </signed.cer> –inkey </private.key> –name ‘tomcat’ –out keystore.p12

                                It will ask you for an export password.

                                This creates a keystore.p12 in your working directory -presumably /usr/local/webhelpdesk/keystore.p12

                                 

                                2)

                                Now just change your whd.conf to point at the new keystore and format:

                                sudo vi ./conf/whd.conf

                                “i” to Insert/Edit and change the following Fields:

                                KEYSTORE_PASSWORD=<export password>
                                KEYSTORE_FILE=/usr.local/webhelpdesk/keystore.p12

                                KEYSTORE_TYPE=PKCS12

                                3) Stop tomcat and start.

                                sudo ./whd stop

                                sudo ./whd start