6 Replies Latest reply on May 23, 2018 1:43 PM by tigger2

    Questions about Enabling HTTPS using the Config Wizard and certificate(s) not being recognized

    tigger2

      The question is at the end.... I'm not a certificate guru so it's possible I'm doing something completely wrong

       

      Environment:

      Orion Platform 2017.1.3 SP3, UDT 3.2.4 <- My question applies to other modules though, just adding in case there's some oddity with UDT

      OS: Windows 2012 R2

       

      Specific issue I'm having:

      When using the "SolarWinds Configuration Wizard" to enable HTTPS for the Web console UI, there is supposed to be a drop down of "valid certificates" to pick from.  I have imported a certificate to use, per the documentation, but there is nothing in the drop down list except "Generate Self Signed Certificate".  The Wizard is acting like my certificate is invalid.

       

      Details:

      1.  Apparently, the new Config Wizard scans for "valid certs" to use.

           Supporting docs: (NPM 12.1 Release Notes - SolarWinds Worldwide, LLC. Help and Support ) there was an update for SSL support that "The Configuration Wizard scans the Orion server for valid SSL certificates that you can choose for the binding,"

       

      2. The new Config Wizard changes will not let you pick/see "invalid certificates".  It appears the Wizard thinks my certificate is invalid so it's not allowing me to pick it

           Supporting docs: (Configure the Orion Web Console to use SSL ) and (Configure the Orion Web Console to use SSL - SolarWinds Worldwide, LLC. Help and Support ) there is a very clear example of how to set up HTTPS, with an indicator of the conditions the certificate must meet in order to be "valid", and "invalid". For invalid certificate it says: "Some certificates are not valid. Client certificates or certificates that have expired or use an untrusted certificate authority are invalid and do not display on the list."

       

      3. My certificate appears valid (to me ).

      - It was imported into the "Local Machine" -> Personal certificate store. <-  It should be the correct location the wizard scans in...

      - It was just issued (an internal CA is issuing it) and is is not expired. <- It's not expired, but may not be trusted...

      - The "Root" certification authority in the certificate is in the "trusted root certification authorities" in the MMC certificates snap-in (I validated the thumbprints) <- The certificate should be using a trusted certification authority, or I am confused about what is considered trusted

      But....

      - There *is* an intermediary "issuing CA" in my certificate ("Issued By" field) in between the Root CA and my certificate.  This *is not* in the "trusted root certification authorities" of the server

       

      Question:

      - Do I need to add the intermediary "Issuing CA" certificate to the "trusted root certification authorities" so the entire chain of certificates in the certificate are all "trusted"?  It seems like I should not because the root certification authority in the cert is trusted

      or

      - Is there a possibility the certificate I was given needed to have certain "options selected" when it was issued (not sure what the options are) or needs to be issues in some special way/format?

      or

      - Is there something blindingly obvious I'm missing?

       

      Message was edited by: tigger 2 - correct odd formatting

        • Re: Questions about Enabling HTTPS using the Config Wizard and certificate(s) not being recognized
          neomatrix1217

          When you open IIS do you see your cert in the drop-down list?

           

            • Re: Questions about Enabling HTTPS using the Config Wizard and certificate(s) not being recognized
              tigger2

              Short answer: Nothing shows up in the IIS drop down...so I did some troubleshooting, and now I can see my cert in the IIS drop down, but not in the Config Wizard drop down (even when "run as" admin).

               

              Long answer:  Apparently part of the IIS cert validation (to have it show up in the list) is that the certificate has to have a private key attached to it.  My cert did not (I was given, and imported a .cer file from our internal CA). More reading led me to believe that just importing the cert via MMC (or maybe IIS)  should attach a private key (it apparently does not in some cases).  Even more reading leads to an MS supplied exe called "certutil.exe" that actually attaches a key (not sure where the keys come from when doing this) to the already imported cert: https://support.microsoft.com/en-us/help/889651/how-to-assign-a-private-key-to-a-new-certificate-after-you-use-the-cer

               

              So now I can see my cert in the IIS drop down when binding https....well, apparently since my cert does not have a "Subject Name" in it the cert shows up in the list as the thumbprint of the cert, not something that's easily identifiable to a casual user, but it works.  Also in the list are the other "SolarWinds" related certs.

               

              In the SolarWinds Config wizard, no certs appear in the drop down list.

                • Re: Questions about Enabling HTTPS using the Config Wizard and certificate(s) not being recognized
                  RichardLetts

                  On windows when you generate a CSR (Certificate Signing Request) to generate the public and private key for the certificate.

                  When you present the CSR it has your pblickkey attached to it, the Certificate Authority then signs your public key by attaching their certificate to it

                  finally, when you import the signed public key it should automatically attach it to the signed public key.

                   

                  When a certificate is renewed windows certmanager has an issue: you need to attach the old private key to the new public key (this has happened a lot recently over the digikey/symantic merger) which is the case you may have hit...

                   

                  Richard

                    • Re: Questions about Enabling HTTPS using the Config Wizard and certificate(s) not being recognized
                      tigger2

                      Based on what you're saying...and adding info on what I'm doing to generate the CSR:

                       

                      When generating the CSR (we're not renewing it), we're choosing a template someone on our CA side created (and we are using MMC to generate the request, not IIS).  In the template there are tabs for adding a private key but they are empty (we cannot edit them).  So I guess the keys, if not provided manually, are supposed to be generated/held/stored on the server side "by something". I believe I shouldn't be able to send a new CSR without keys "from somewhere".  I don't get anything related to "and here are your keys" when I submit it, so I feel like I'm not supposed to/need have these keys when using Windows to generate a website cert.  Other things I read on the net are all about "start by generating your keys....never lose the keys or passphrase!" so maybe Windows is trying to help me by hiding all the details for this particular type of "simple, locally hosted website cert"

                       

                      So.... maybe people handling things on the CA side are not sending the keys with the cert somehow (a.k.a. somehow exporting the cert without them?) or are not signing it (even though the cert I have has a chain of certs in it that look like they attached their certs to it).  From what little I've seen on the CA side it seems like they get a request, and then they "approve it", so I don't understand how my cert could come back to me "keyless", as the initial keys I sent should at least be attached?  Or is "keyless" meaning "the public key from the CA is not there".

                       

                      Also: I don't know how I can have a cert that IIS sees as valid, but the SolarWinds config wizard does not see as valid, unless one of them is going further to check it's actually "valid".

                • Re: Questions about Enabling HTTPS using the Config Wizard and certificate(s) not being recognized
                  tigger2

                  Update: I had a new cert issued, and it "looks better" than the first (the first was probably exported incorrectly) but the new cert is still not showing up in the Orion config wizard as a choice when I set the "Enable HTTPS" option.

                   

                  FYI: The cert does show up in the IIS manager as cert I can use/select when binding, but the Orion Config Wizard -> Website form shows nothing in the drop down except "Generate Self Signed Certificate".  The root cert authority and intermediate/issuing authority in my new cert appear to be on my system as "trusted certs"....so I'm at a loss as to why the config wizard refuses to allow me to choose it.

                    • Re: Questions about Enabling HTTPS using the Config Wizard and certificate(s) not being recognized
                      tigger2

                      Found what it is/was:

                      You HAVE to have a Common Name (CN) field set or the Config Wizard will not allow you to pick the certificate for HTTPS.  Additionally, from (Configure the Orion Web Console to use SSL - SolarWinds Worldwide, LLC. Help and Support ) , the Common Name has to be certain variants of the server hostname the certificate is for to get a "green checkmark" for the cert in the Config Wizard UI (not required, but the reasons are documented in the links above)... and who doesn't want a nice green check mark!?

                       

                      In addition, in the link, I believe any cert determined to be "invalid" will not show up as a choice in the drop down.  There are a few conditions listed.  I guess the "Common Name" (CN) field is also required or it's considered invalid, which should probably be in the documentation

                       

                      I was following an internal procedure to generate certs from our internal CA, and putting in a Common Name wasn't listed as a "to do", which caused me to have this issue.

                       

                      Per a separate conversation, thanks to neomatrix1217 for pointing me to the log @ "C:\ProgramData\SolarWinds\Logs\Orion\ConfigurationWizard.log".  It appears if you look for lines with "CertificatesHelper" you can see the certs that are "considered" for the drop down and if they were skipped there's a note as to why they were skipped.