Public SSL certificate in 4.5

arno1247 · 2009-11-26T01:23:30.000Z

Been checking out the SSL feaure and bumbed straight into the following:

I set the User Portal for SSL.
Then browsed to the portal for an initial glimp.
I got an certificate error.

So I checked the certificate and this is a cert. made by spiceworks for the local machine name.

Is there anyway I can assign our public ssl certificate, so we can use it on our external web support as well, without trowing the certificate error?

tabrez · 2009-11-26T04:58:09.000Z

Hi Arno,

We’re still in the process of documenting this. The certificate and key are in C:\Program files\spiceworks\httpd\ssl

Make a copy of the existing ones before you replace them with yours. Your cert/key will have to be in pem format.

Hope this helps.

arno1247 · 2009-11-26T05:05:28.000Z

Cool.

Will give this a try soon.

arno1247 · 2009-11-26T05:29:52.000Z

I just looked at a way to export our certificate, but I can not see a way to create .pem format.
Is this an apache format?

I got my cert in .crt format, or I can export it from my IIS webserver.

Can you pls give a brief explanantion about how to get this done?

babbitt · 2009-11-26T12:00:38.000Z

.pem is just the extension that Apache uses. The format is known as base64 encoded X509, not binary or DER-encoded X509.

The bigger challenge is extracting your private key from IIS. I did a little attempt myself just now. First, make IIS export the PFX archive that contains both the certificate and the private key. Then I had to Google around to figure out how to get both out of the PFX archive. I found the link below, and I’ve modified the steps for our environment.

Let us know if this works for you.

I copied the PFX archive to the Spiceworks bin folder and called it “cert_and_key.pfx” to make these command line steps more readable. The last step is just to verify that the password has been removed from the private key.

C:\Program Files\Spiceworks\bin>openssl.exe pkcs12 -in cert_and_key.pfx -nocerts -out ..\httpd\ssl\ssl-private-key.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

C:\Program Files\Spiceworks\bin>openssl.exe pkcs12 -in cert_and_key.pfx -clcerts -nokeys -out ..\httpd\ssl\ssl-cert.pem
Enter Import Password:
MAC verified OK

C:\Program Files\Spiceworks\bin>openssl.exe rsa -in ..\httpd\ssl\ssl-private-key.pem -out ..\httpd\ssl\ssl-private-key.pem
Enter pass phrase for ..\httpd\ssl\ssl-private-key.pem:
writing RSA key

C:\Program Files\Spiceworks\bin>openssl.exe rsa -text -in ..\httpd\ssl\ssl-private-key.pem

(Adapted from Moving SSL Certs from IIS to Apache)

arno1247 · 2009-11-26T14:12:04.000Z

Wauw, this is a litte more complex as expected.

Pls. let me sum up to make sure I understand.

The ssl certificate I got, is a basic godaddy certificate.
To ‘assign’ this to the apache server we first need to extract the certificate and the key to 2 seperate .pem files, used by apache.

By following your above procedure this should work, but how am I gonna get PEM pass phrase, Import Password, etc.

babbitt · 2009-11-26T16:21:41.000Z

Yes, you are right. You need to extract the certificate and the key to two separate .pem files.

The password you must enter is one that you create yourself when you export the PFX archive from IIS.

Here are screenshots from IIS6 on Windows 2003. On the first panel, select “Server Certificate” in order to export the certificate and the private key.

babbitt · 2009-11-26T16:24:02.000Z

In the wizard, select PFX.

babbitt · 2009-11-26T16:24:39.000Z

After the filename it will force you to choose a password for the PFX archive.

After you have the password protected PFX file then go back to the command line steps I quoted earlier to separate the contents into the two pem files and remove the password protection from the private key.

arno1247 · 2009-11-27T06:26:35.000Z

Thanks for the background info.

This sure is no easy / failsafe task as we are used to with Spiceworks, but I’ll give it a try and see if it works.

Then afterwords I might drop in my 2 cents, for a feature request

nickcapsticks5842 · 2009-12-02T06:46:23.000Z

When I try to remove the password and enter a blank one it tells me that I have to have a password of at least 4 characters. Therefore I cannot extract the pem file.

simon219 · 2009-12-02T09:02:01.000Z

I found if you added the -nodes command into the first line of Babbits instructions it didnt require the PEM pass phrase.

C:\Program Files\Spiceworks\bin>openssl.exe pkcs12 -in cert_and_key.pfx -nocerts -out …\httpd\ssl\ssl-private-key.pem -nodes
Enter Import Password:
MAC verified OK

This seemed to do the trick for letting IE access the certificate.

mohammedfiaz · 2009-12-07T07:34:01.000Z

I hope there is going to be a proper guide to doing this?

jeremeyshiers · 2009-12-08T16:25:51.000Z

Just used this to install a fresh “support” Cert on my Spiceworks station. You do need to restart Spiceworks after you get the new .pem files in place then the public cert works great. I used an inexpensive GoDaddy cert since I could use a 2048 key. I think this will be great for my orginization. Thanks Spiceworks