<\/use><\/svg><\/div><\/a><\/div><\/p>\nWoo! Made it through…<\/p>\n
Now, all you need to do is start Spiceworks. If the app won’t start, shutdown Spiceworks, restore the original certificate files and httpd.conf file, and read back through the steps and see if you missed anything.<\/p>\n
Most often, problems stem from renaming the incorrect files. For example, you may have renamed the primary certificate to “ssl-intermediate” instead of “ssl-certificate” on accident.<\/p>\n
If the app starts, we’re golden!<\/p>\n
When updating Spiceworks in the future, it may be necessary to drop in the certificate files and httpd.conf file in place once more.<\/p>\n
To avoid headaches, go ahead and create a backup of the httpd folder and save it someplace outside of the Spiceworks installation directory.<\/p>\n
Then, during the next update, drop the httpd folder back into place.<\/p>\n<\/div>\n
Now that you’ve finished, you have your own public SSL cert incorporated into Spiceworks.<\/p>\n
If you’re stuck at any point in this process, it’s always a good idea to reach out to your CA and ensure you’ve downloaded the correct files and renamed them correctly.<\/p>","step":[{"@type":"HowToStep","name":"Backup Current Spiceworks SSL Certificates And httpd.conf Files","text":"\n\n\nIt's always a good idea to back up config files, right? The same is true when working with the httpd.conf file. Also, you'll want to keep backup copies of the current SSL certs.\n\nTo start, head over to C:\\Program Files (x86)\\Spiceworks\\httpd\\conf and copy the httpd.conf file to a safe location (Desktop, Documents, etc.).\n\nNext, head to the \\Spiceworks\\httpd\\ssl folder and do the same for the ssl-cert.pem and ssl-private-key.pem files.","image":"https://us1.discourse-cdn.com/spiceworks/original/4X/1/5/7/15715118baab3b49daeafce2fbfc219f2f802037.png"},{"@type":"HowToStep","name":"Install OpenSSL","text":"\nNext, we'll need to install OpenSSL. Why? OpenSSL provides a straightforward way to generate a private key and a certificate signing request (CSR).\n\nNowadays, openssl.org doesn't provide Windows binaries. So, it's necessary to find it elsewhere. Currently, this is the site I use: https://slproweb.com/products/Win32OpenSSL.html.\n\nAfter you've downloaded that file, run the installer.\n\nAfter the installation completes, you may need to set an environment variable within Windows after installing OpenSSL. To do that, run the following in a command prompt.:\nSet OPENSSL_CONF=C:\\OpenSSL-Win32\\bin\\openssl.cfg (where C:\\OpenSSL-Win32 is the installation directory of OpenSSL)."},{"@type":"HowToStep","name":"Generate A Private Key","text":"\nInstalled OpenSSL and set the environmental variable? Good. Now it's time to generate a private key.\n\nFirst, bring up a command prompt and run the following command:\nopenssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr\n\n2048-bit RSA keys are most common, but you may want to check with the CA you've chosen.\n\nOne important thing to note is the \"-nodes\" parameter. This means \"no DES encryption.\" Why? Apache on Windows requires an unencrypted private key. Using DES will bork this process.\n\nYour private key will likely be in the C:\\OpenSSL directory or in the C:\\OpenSSL-Win32 directory"},{"@type":"HowToStep","name":"Fill Out CSR Info","text":"\nOnce the private key has been generated, you'll be asked to fill out a bit of info. This is for the CSR you'll be sending to your CA.\n\nIf you're not sure what to enter for these prompts, you'll want to contact your CA.\n\nNOTE: The common name MUST be the fully qualified domain name (FQDN) of the Spiceworks host. For example: helpdesk.mydomain.com\n\nYour CSR will likely be in the C:\\OpenSSL directory or in the C:\\OpenSSL-Win32 directory"},{"@type":"HowToStep","name":"Send Your CSR To Your CA","text":"\nHoly acronymns, Batman!\n\nIn this step you'll need to send your CSR to your CA. Normally, you do this via your CA's web portal but that can vary based on your CA. As with the other steps, ask your CA if you're in doubt.\n\nWhen you send the CSR, specify that you'll be using Apache."},{"@type":"HowToStep","name":"Download Your Certificate","text":"\nYour CA should send your certificate to the email address you specified when creating your CSR. You should also be able to download this from your CA's web portal.\n\nIf you're downloading the certificate from your CA's web portal, you'll likely have a number of different download options. In most cases, you'll want to choose the \"Apache\" option. Not sure? Check with your CA!"},{"@type":"HowToStep","name":"Download The Intermediate Certificate","text":"\nSome CA's require an intermediate certificate in addition to the primary SSL certificate. It's always a good idea to check with your CA on this step.\n\nMost likely, you'll download the intermediate certificate along with your primary SSL certificate if you downloaded it via your CA's web portal.\n\nAgain, if you're not sure about this step contact your CA! Not knowing whether you need an intermediate certificate or not can cause a lot of frustration in the next few steps."},{"@type":"HowToStep","name":"Copy Your Certificate(s) And Primary Key To Spiceworks","text":"\nOkay, now you should have everything you need. Depending on your CA, you may have one or two certificates to drop into place.\n\nNOTE: At this point you'll need to shutdown Spiceworks and keep it offline until the you're finished with the entire process.\n\nIf your CA doesn't require an intermediate certificate, you'll want to copy your SSL certificate to the C:\\Program Files (X86)\\Spiceworks\\httpd\\ssl folder. Then, rename the certificate to ssl-cert.pem.\n\nIf your CA requires an intermediate certificate as well, follow the step mentioned above and then copy your intermediate certificate to the C:\\Program Files (x86)\\Spiceworks\\httpd\\ssl directory and rename to ssl-intermediate.pem.\n\nNOTE: This is probably the single-most confusing part of the process. If you don't know which certificate is the primary and which is the intermediate, contact your CA! They'll be able to tell you and it will save you the headache of trial and error.\n\nFinally, copy your private key over to the C:\\Program Files (x86)\\Spiceworks\\httpd\\ssl folder and rename it to ssl-private-key.pem."},{"@type":"HowToStep","name":"Edit The http.conf File","text":"\n\n\nDone with that? Great!\n\nIf you don't have an intermediate certificate, you can skip this step. Go ahead. Do it.\n\nStill here? You must have an intermediate certifcate, then. Head over to C:\\Program Files (x86)\\Spiceworks\\httpd\\conf and open the httpd.conf file.\n\nToward the bottom, you'll see the following lines:\n\n SSLEngine on\n SSLOptions +StrictRequire\n SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2\n SSLCipherSuite HIGH:!ADH \n SSLCertificateFile \"ssl/ssl-cert.pem\"\n SSLCertificateKeyFile \"ssl/ssl-private-key.pem\"\n <\/VirtualHost>\n\nWe'll want to add the following line just before the <\/VirtualHost> line:\n SSLCertificateChainFile \"ssl/ssl-intermediate.pem\"\n\nSo, when you're finished, you should have:\n\n SSLEngine on\n SSLOptions +StrictRequire\n SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2\n SSLCipherSuite HIGH:!ADH \n SSLCertificateFile \"ssl/ssl-cert.pem\"\n SSLCertificateKeyFile \"ssl/ssl-private-key.pem\"\n SSLCertificateChainFile \"ssl/ssl-intermediate.pem\"\n <\/VirtualHost>\n\nNow, save the httpd.conf file.","image":"https://us1.discourse-cdn.com/spiceworks/original/4X/8/1/c/81c11fcb2d5a1859445b3a053dfbda136fcd2e2a.png"},{"@type":"HowToStep","name":"Start Spiceworks","text":"\n\n\nWoo! Made it through...\n\nNow, all you need to do is start Spiceworks. If the app won't start, shutdown Spiceworks, restore the original certificate files and httpd.conf file, and read back through the steps and see if you missed anything.\n\nMost often, problems stem from renaming the incorrect files. For example, you may have renamed the primary certificate to \"ssl-intermediate\" instead of \"ssl-certificate\" on accident.\n\nIf the app starts, we're golden!\n\nWhen updating Spiceworks in the future, it may be necessary to drop in the certificate files and httpd.conf file in place once more. \n\nTo avoid headaches, go ahead and create a backup of the httpd folder and save it someplace outside of the Spiceworks installation directory.\n\nThen, during the next update, drop the httpd folder back into place.","image":"https://us1.discourse-cdn.com/spiceworks/original/4X/8/8/2/882136504eade04ac28f2a70b734ed175ed97b1b.png"}]}
jonm
April 7, 2016, 1:09pm
1
Spiceworks comes packaged with a self-signed SSL certificate. While this is fine for most folks, you may want to add your own public SSL certificate obtained from a Certificate Authority (CA).
This how-to demonstrates a fairly simple process for creating and incorporating your own SSL certificate into Spiceworks.
It’s always a good idea to back up config files, right? The same is true when working with the httpd.conf file. Also, you’ll want to keep backup copies of the current SSL certs.
To start, head over to C:\Program Files (x86)\Spiceworks\httpd\conf and copy the httpd.conf file to a safe location (Desktop, Documents, etc.).
Next, head to the \Spiceworks\httpd\ssl folder and do the same for the ssl-cert.pem and ssl-private-key.pem files.
Next, we’ll need to install OpenSSL. Why? OpenSSL provides a straightforward way to generate a private key and a certificate signing request (CSR).
Nowadays, openssl.org doesn’t provide Windows binaries. So, it’s necessary to find it elsewhere. Currently, this is the site I use: Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions .
After you’ve downloaded that file, run the installer.
After the installation completes, you may need to set an environment variable within Windows after installing OpenSSL. To do that, run the following in a command prompt.:
Installed OpenSSL and set the environmental variable? Good. Now it’s time to generate a private key.
First, bring up a command prompt and run the following command:
2048-bit RSA keys are most common, but you may want to check with the CA you’ve chosen.
One important thing to note is the “-nodes” parameter. This means “no DES encryption.” Why? Apache on Windows requires an unencrypted private key. Using DES will bork this process.
Your private key will likely be in the C:\OpenSSL directory or in the C:\OpenSSL-Win32 directory
Once the private key has been generated, you’ll be asked to fill out a bit of info. This is for the CSR you’ll be sending to your CA.
If you’re not sure what to enter for these prompts, you’ll want to contact your CA.
NOTE: The common name MUST be the fully qualified domain name (FQDN) of the Spiceworks host. For example: helpdesk.mydomain.com
Your CSR will likely be in the C:\OpenSSL directory or in the C:\OpenSSL-Win32 directory
Holy acronymns, Batman!
In this step you’ll need to send your CSR to your CA. Normally, you do this via your CA’s web portal but that can vary based on your CA. As with the other steps, ask your CA if you’re in doubt.
When you send the CSR, specify that you’ll be using Apache.
Your CA should send your certificate to the email address you specified when creating your CSR. You should also be able to download this from your CA’s web portal.
If you’re downloading the certificate from your CA’s web portal, you’ll likely have a number of different download options. In most cases, you’ll want to choose the “Apache” option. Not sure? Check with your CA!
Some CA’s require an intermediate certificate in addition to the primary SSL certificate. It’s always a good idea to check with your CA on this step.
Most likely, you’ll download the intermediate certificate along with your primary SSL certificate if you downloaded it via your CA’s web portal.
Again, if you’re not sure about this step contact your CA! Not knowing whether you need an intermediate certificate or not can cause a lot of frustration in the next few steps.
Okay, now you should have everything you need. Depending on your CA, you may have one or two certificates to drop into place.
NOTE: At this point you’ll need to shutdown Spiceworks and keep it offline until the you’re finished with the entire process.
If your CA doesn’t require an intermediate certificate, you’ll want to copy your SSL certificate to the C:\Program Files (X86)\Spiceworks\httpd\ssl folder. Then, rename the certificate to ssl-cert.pem.
If your CA requires an intermediate certificate as well, follow the step mentioned above and then copy your intermediate certificate to the C:\Program Files (x86)\Spiceworks\httpd\ssl directory and rename to ssl-intermediate.pem.
NOTE: This is probably the single-most confusing part of the process. If you don’t know which certificate is the primary and which is the intermediate, contact your CA! They’ll be able to tell you and it will save you the headache of trial and error.
Finally, copy your private key over to the C:\Program Files (x86)\Spiceworks\httpd\ssl folder and rename it to ssl-private-key.pem.
Done with that? Great!
If you don’t have an intermediate certificate, you can skip this step. Go ahead. Do it.
Still here? You must have an intermediate certifcate, then. Head over to C:\Program Files (x86)\Spiceworks\httpd\conf and open the httpd.conf file.
Toward the bottom, you’ll see the following lines:
We’ll want to add the following line just before the line:
So, when you’re finished, you should have:
Now, save the httpd.conf file.
Woo! Made it through…
Now, all you need to do is start Spiceworks. If the app won’t start, shutdown Spiceworks, restore the original certificate files and httpd.conf file, and read back through the steps and see if you missed anything.
Most often, problems stem from renaming the incorrect files. For example, you may have renamed the primary certificate to “ssl-intermediate” instead of “ssl-certificate” on accident.
If the app starts, we’re golden!
When updating Spiceworks in the future, it may be necessary to drop in the certificate files and httpd.conf file in place once more.
To avoid headaches, go ahead and create a backup of the httpd folder and save it someplace outside of the Spiceworks installation directory.
Then, during the next update, drop the httpd folder back into place.
Now that you’ve finished, you have your own public SSL cert incorporated into Spiceworks.
If you’re stuck at any point in this process, it’s always a good idea to reach out to your CA and ensure you’ve downloaded the correct files and renamed them correctly.
43 Spice ups
Thanks for the write up on this process. Always helps!
netsvc
April 11, 2016, 2:57am
3
Was planning already. Good thing you have it ahead of me.
What is the impact on Remote Agents and Remote Collectors set up with the original Self Signed Cert? Is a reinstall required for the RAs required? Do I need to accomplish these steps for the RCs? Thanks as I am trying to get a feel for then scope of effort ahead.
Worked Flawlessy with StartSSL.com free certificate. Thanks. A good thing would be to integrate SW with Let’s Encrypt.
nainwells
November 24, 2016, 6:39pm
6
Will this step work if i generated the certificate through iis? I already have the .pem file after following the step the site is still untrusted.
luigi
March 23, 2017, 4:47pm
7
Thanks for sharing this. I use my own internal CA so this worked for me too.
I’m having trouble with this. It seems that my old cert (the one that worked and I believe I originally created with IIS) says “-----BEGIN RSA PRIVATE KEY-----” But the key I got back from Godaddy downloading the apache cert says “-----BEGIN CERTIFICATE-----”
When I try to install the cert using the instructions by only renaming the cert the apache service wont start and errors out.
What am I missing?
Nevermind. It seems what I t thought was the issue wasn’t an issue at all.
I completely missed which files to rename to what (even though he explicitly said to pay attention). I was using the actual cert for the private key not realizing the private.key file that was created during the openssl commands located in the openssl directory was the file that I had to put in the httpd/ssl folder and rename ssl-private-key.pem.
Next time I’ll follow directions better.
For anyone else that goes through these steps and it gets stuck on the “Starting Up” splash screen. Here is one thing you can check…my certs came from startssl with .crt extensions. I had to stop windows from hiding the extension of files so when I renamed the files it wouldn’t try to keep the .crt extension. it was naming my file ssl-cert.pem.crt instead of ssl-cert.pem Now that I’ve done that all is well. Thanks for this write up
Thanks for this, worked great. Up and running in no time. Thanks to Luke05478 also about the file extensions tip, ashamed to admit I had made that mistake initially!
ON step 3 I received a message ‘openssl’ is not recognized as an internal or external command, operable program or batch file.
Openssl is installed and I checked environmental labels and everything is configured properly
Are you including the OpenSSL part of the text in the command as per the instructions? If so remove that, it should start with “req”
i tried both with openssl and just the req and both get not recognized as internal or external command
I am getting the error when I ran the following command. pleas help.
samehkota
October 16, 2017, 8:17am
15
ZackaryCSOS
" cd C:\OpenSSL-Win32\bin "
Sorry, but no. If I try to run this from the bin folder, I get this:
unable to find ‘distinguished_name’ in config
I added the environment variable as described above. There appears to be a PATH problem, but does anyone have any ideas?
+1 to David4845. I received the same errors. It did produce a private.key output file, but I’m concerned that it’s not correct based on the errors. I also added the environment variable and double checked it for accuracy. I would appreciate any feedback on this.
I having an issue step 8. The apache download for GoDaddy consists of two certificate files with .crt file extension and a private key with a .pem extension. Am I supposed to rename these file extensions? Any help would be appreciated.
Step 3 isn’t fully developed if you are using Powershell (Run as Admin). You need to add ./ to the front of the command to ensure PS knows what it’s executing. Make Sure to change the directory First.
PS C:\Windows\system32> cd c:\openssl-win32\bin
PS C:\openssl-win32\bin> ./openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr
![\"backup.PNG\"](\"https://us1.discourse-cdn.com/spiceworks/original/4X/1/5/7/15715118baab3b49daeafce2fbfc219f2f802037.png\")
<\/p>\n![\"httpdconf.PNG\"](\"https://us1.discourse-cdn.com/spiceworks/original/4X/8/1/c/81c11fcb2d5a1859445b3a053dfbda136fcd2e2a.png\")
<\/p>\n![\"startup.PNG\"](\"https://us1.discourse-cdn.com/spiceworks/optimized/4X/8/8/2/882136504eade04ac28f2a70b734ed175ed97b1b_2_690x318.png\")