Unfortunately, the updates overwrite the httpd.conf file and you will have to make those modifications after each update.<\/p>\n<\/div>","step":[{"@type":"HowToStep","name":"Backup Spicworks and existing certificate & key.","text":"\nA) Run a full backup of you SW Settings\nB) Navigate to C:\\Program Files\\Spiceworks (x86)\\httpd\\ssl and copy the PEM files to an alternate location.\nC) Navigate to C:\\Program Files (x86)\\Spiceworks\\httpd\\conf and copy the httpd.conf file to an alternate location."},{"@type":"HowToStep","name":"Prepare your system","text":"\nyou can use CERTREQ here and then use CERTUTIL to export the PFX from the Certificate store, but if you want more flexibility over your private key than certreq gives you, use the OpenSSL command line tool to generate your private keys. Then you can do whatever you want with them without that extra step of having to export them from your certificate store.\n\nI will use OpenSSL in this scenario. I used the windows binaries from this alternate site. Win32 OpenSSL v1.0.2h Light https://slproweb.com/products/Win32OpenSSL.html\n\nDuring Installation, change the dll path to the /bin folder to keep everything neat and tidy\nAfter installation, set the environment variable (this variable and the missing .conf file are the reasons why the Spiceworks built in openssl binary can not be used. From an elevated command prompt run \nSet OPENSSL_CONF=C:\\OpenSSL-Win32\\bin\\openssl.cfg (where C:\\OpenSSL-Win32 is the installation directory of OpenSSL)."},{"@type":"HowToStep","name":"Generate Key Pair","text":"\nOpenSSL supports separate or unified commands for creating Key pairs and CSR. It also supports adding encryption to the key. However, apache on Windows requires and unencrypted private key. -----BEGIN RSA PRIVATE KEY-----\nRun the following command to generate the keypair.\nC:>cd \\OpenSSL-Win32\\bin\nC:\\OpenSSL-Win32\\bin>openssl genrsa -out private.key 2048"},{"@type":"HowToStep","name":"Generate the CSR","text":"\nC:\\OpenSSL-Win32\\bin>openssl req -new -key private.key -out spiceworks.csr\nYou are about to be asked to enter information that will be incorporated\ninto your certificate request.\nWhat you are about to enter is what is called a Distinguished Name or a DN.\nThere are quite a few fields but you can leave some blank\nFor some fields there will be a default value,\nIf you enter '.', the field will be left blank.\n-----\nCountry Name (2 letter code) [AU]:\nState or Province Name (full name) [Some-State]:\nLocality Name (eg, city) []:\nOrganization Name (eg, company) [Internet Widgits Pty Ltd]:\nOrganizational Unit Name (eg, section) []:\nCommon Name (e.g. server FQDN or YOUR name) []:\nEmail Address []:\n\nPlease enter the following 'extra' attributes\nto be sent with your certificate request\nA challenge password []:\nAn optional company name []:\n\n***SUBMIT The CSR to your CA and specify apache if asked."},{"@type":"HowToStep","name":"Get the Certificate from CA and Install","text":"\n***STOP Your Spiceworks Services***\n\nEach CA Provides steps for installing the cert on apache. You may have an intermediate cert or a ca bundle that is required to install. Please refer to your CA for exact installation instructions.\n\nin short, you will want to copy your\n(SSLCerticicateKeyFile) private.key to C:\\Program Files (x86)\\Spiceworks\\httpd\\ssl\\ssl-private-key.pem\n(SSLCertificateFile) Spiceworks.crt to C:\\Program Files (x86)\\Spiceworks\\httpd\\ssl\\ssl-cert.pem\n(SSLCertificateChainFile) to C:\\Program Files (x86)\\Spiceworks\\httpd\\ssl\\ssl-cabundle.pem"},{"@type":"HowToStep","name":"Change the SSL Settings","text":"\n**As of 7.5.000095 - the cipher suite has changed. You may just want to change the TLS to remove 1.0\n\nNow we want to tell Apache what SSL protocols we will accept and disable some of the less secure ciphers that can be used.\n\nTo do this scroll to the very bottom of the httpd.conf file and find the section that begins with:\n\n\n\nInside this either comment out or delete the line that begins with \"SSLCipherSuite\". \nNow add these two lines in its place:\n SSLProtocol -All +TLSv1.1 +TLSv1.2\n SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\n\nA bit of further research may allow you to edit this list even further depending on your security requirements. Especially if you are maintaining XP support or older browser support."},{"@type":"HowToStep","name":"Add the ca.bundle or intermediate.pem to httpd.conf","text":"\nIF your ca requires an intermediate certificate or CA Bundle, then KEEP open your httpd.conf file and add the cabundle.pem file name and path\n SSLCertificateChainFile \"ssl\\ssl-cabundle.pem\" add the end of like so\n\n \n SSLEngine on\n SSLOptions +StrictRequire\n SSLProtocol -All +TLSv1.1 +TLSv1.2\n SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH\n SSLHonorCipherOrder on\n SSLCertificateFile \"ssl/ssl-cert.pem\"\n SSLCertificateKeyFile \"ssl/ssl-private-key.pem\"\n\tSSLCertificateChainFile \"ssl/ssl-cabundle.pem\" \n <\/VirtualHost>"},{"@type":"HowToStep","name":"Force all Connections to use SSL","text":"\nAs Spiceworks uses Apache we can easily force all connections to use SSL by implementing a URL rewrite rule.\n\nTo do this we need to edit the httpd.conf file that holds Apache's configuration. This is stored within your Spiceworks installation folder under httpd\\conf.\n\nScroll down towards the end of the httpd.conf file and around line 123 look for the lines that contain:\n\n# error documents\n\nThen ABOVE this line add the following:\n\n \n RewriteEngine On \n\t#Force SSL on all connections \n\tRewriteCond %{HTTPS} off \n RewriteCond %{REMOTE_HOST} !^127\\.0\\.0\\.1 \n RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} \n<\/IfModule>"},{"@type":"HowToStep","name":"Restart Services","text":"[/wrap]\n\n[wrap=step]\n### Step 10: 10. Reapply httpd.conf changes after each update\n\nUnfortunately, the updates overwrite the httpd.conf file and you will have to make those modifications after each update."}]}