1

This How to will go through the process of setting up SpiceWorks to use an SSL cert that you generate from an internal Certificate Authority but it should also allow you to create a certificate signing request (CSR) that you can send to a public Certificate Authority.

The reason I worked through these steps is that I became annoyed at not being able to use IE9 to open my remote collectors due to untrusted certificates.

I will be working with a Microsoft Certificate Authority in this how to. I also will be working with Server 2008 R2 to generate the Certificate Signing requests as that is the simplest way I have found.

I want to thank a number of How To contributors who’s posts helped me create this version of the how to.
Jonathan (Spiceworks) - Assign Your Existing Public SSL Certificate To Spiceworks - http://community.spiceworks.com/how_to/show/922
Nick-C - How to become your Own Certificate Authority and Secure Spiceworks - http://community.spiceworks.com/how_to/show/1469

Step 1: Generate your Certificate Signing Request (CSR)

choose_cert.PNG

I am using Windows Server 2008 R2 to generate the CSR as it is a very simple process.

  1. Open MMC.exe
  2. Add the Certificates add in (select computer when asked which certificate container to open).
  3. Open Personal and then Certificates (if present)
  4. Right Click and select “all Tasks”
    …A. then if using a local CA select >“Request a New Certificate”
    …B. if using a remote CA select Advanced Operations> Create a Custom Request.
  5. Choose the correct (web server) certificate type. Then expand Details and click on properties (see image to the right)
  6. Fill in the details about your SpiceWorks computer. At a minimum fill in the following details:
    …A. Under Subject Name > Fill in a few details about your company/server so that people can see that this is your server
    …B. Under Alternative name (this is where most of the magic happens)
    …i. DNS (NetBIOS name)
    …ii. DNS (Fully qualified network name)
    …iii. IP address
    …C. If the computer has an external interface also add the external DNS and IP address to the list. Basically you want every method of connecting to the server to be added to the list so they all will be covered by the cert.
  7. Under the general Tab > give the certificate a Friendly name and a description
  8. Under the Private Key tab > Key Options > select a Key size, allow the key to be exported and if using an internal CA also allow it to be archived.
    .
    Now submit the CSR and export the resulting certificate.

Step 2: Apply the certificate to your spiceworks system

I will be following the steps outlined here: http://community.spiceworks.com/how_to/show/922 with a few updates to make the process easier.

  1. Copy the SSL cert you exported to the SpiceWorks server

  2. copy the cert to the folder c:\program files\SpiceWorks\httpd\ssl (or program files (x86 as needed), While you are in the folder make a backup of the certificate files that are there so you can use them if something gets messed up.

  3. Open a command prompt

  4. Change the directory to the path above (c:\program files\SpiceWorks\httpd\ssl)

  5. Start OpenSSL.exe (…..\bin\openssl.exe)

6 pkcs12 -in <cert_and_key>.pfx -nocerts -out ssl-private-key.pem -nodes
returns:
Enter Import Password:
MAC verified OK

  1. pkcs12 -in <cert_and_key>.pfx -clcerts -nokeys -out ssl-cert.pem
    Enter Import Password:
    MAC verified OK

  2. rsa -in ssl-private-key.pem -out ssl-private-key.pem
    writing RSA key

  3. rsa -text -in ssl-private-key.pem

  4. restart your SpiceWorks install

15 Spice ups
2

I’m going to have to try this one. I haven’t had any positive success with the others yet.

Thanks!

3

This worked like a charm for me.

When attempting to select the web server cert in step 5 the option was greyed out with a permissions message. I had to give rights to the Spiceworks server ‘computer account’ to allow the creation of a Web Server cert from our local CA. I then had to read the OpenSSL instructions a few times to understand the syntax. After restarting Spiceworks I get no messages or pop-ups about security when using the certificate generated from our local CA. Group Policy has the local CA listed as trusted.

Thx

4

Hmm I must have done something wrong - it works fine except that the “Issued To” and “Issued by” are still the same.
Any tips on what I would have to do to have the “Issued by” as my CA?

5

Nevermind, I re-did the cert request and it works now (no cert error warning when i browse to the page). However I still get a red cross on the padlock in Chrome - even though when viewing the cert, it traces back to my CA and the cert itself says “this certificate is OK”.
Edit - this appears to be Chrome specific, as there are no errors or visible signs of any kind in IE. Chrome must have stricter security settings

6

Can anyone help me with this as I’m struggling with the first couple of steps already!

7

Wonderful! It works. I’ve look at several SSL connections How-to but this one is the best. Thanks!

8

This did not work for me. I followed exactly. Not sure what to do from here since we purchased a 3rd party cert and every command issued as expected from the example.

9

Amazingly simple. Thanks a ton! This is way quicker than using open SSL separately and useful if you already have IIS installed with an existing certificate server.