Community Tip - Learn all about PTC Community Badges. Engage with PTC and see how many you can earn! X
All,
I ran openssl to generate a certificate request that I gave to our security department. They gave me a server.cer back to use as my SSL certificate. Since I never worked with installing SSL on a Linux Apache system I reached out to PTC tech support. They had me follow document CS134592. I mentioned to them I did not need a self-signed and had misgivings in running this. SSL got deployed in Apache. No matter how many keytool iterations I run, I cannot replace the self-signed cert with the one I received from our internal CA. I also found document CS158480 that details exactly what to do which I followed word by word. This also did not help.
Has anyone been through this before and have a solution? Thanks in advanced.
Mitch
Surely all you need to do is remove the self signed cert from your java keystore?
keytool -delete -alias <cert name> -keystore <ckeystore>
Then you should be good to go, the whole point of Pukka SSL certs is that they are already trusted by both your browser and Java so you don't need to add this one.
Hi Gary,
I am new with working with Linux and keytools. I went through and removed any certs I added over the last few days and the self-signed is still showing up.
Any other ideas? Is it some configuration file I need to change somewhere else?
Thanks,
Mitch
If it it still showing up when you list the certificates in your Java keystore then you have not deleted it.
There are several keystore locations - did you check that the self signed cert does not exist in any of them?
I deleted them from Java/jre/lib/security in cacerts and jssecacerts. Where else are keystores located. Thanks! BTW, so far your answers are better than PTC support.
OK - those are common ones, did you perhaps create a keystore to put the self signed certificate in?
But - I guess the question is, how do you know that the self signed certificate is still in the Java keystore after you deleted it?
Here is a page outlining commands for managing your keystore: The Most Common Java Keytool Keystore Commands
So I found the self-signed certificate here: /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.crt] which I verified by running this command openssl x509 -noout -text -in server.crt.
I converted the file from security this way: openssl x509 -inform DER -in ams_ssl.cer -out ams_ssl.pem
How do I replace the self-signed with this one? What about the server.key? apchectl will not start if I rename ams_ssl.pem to server.crt which is in httpd-ssl.conf. Therefore if I replace this line:
SSLCertificateFile /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.crt/server.crt with the my certificate and comment out SSLCertificateKeyFile /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.key/server.key.
I found that did not work either. Am I even in the ballpark now?
I presumed that you had already put the new Pukka Apache certificate and key files into place on your Windchill Apache server...
If you are asking how to create and put a pukka certificate and key file into place on your Apache server, you need to do something like this (this is what I use for Windows machines, Linux will be similar):
Create the CSR and KEY files - the CSR is used to create the .CRT file by your certification authority:
C:\ptc\HTTPServer\bin\openssl.exe req -config C:\ptc\HTTPServer\conf\openssl.cnf -new -newkey rsa:2048 -nodes -keyout C:\Temp\server.key -out C:\Temp\server.csr
Enter the information specific to your server. Don't enter a password in the step above to save the step of removing it later from the key.
Generate certificate on the CA website using the data from the CSR file and move the server.crt file and the ca-bundle.crt file (if necessary) to the Apache Server folders conf/extra/ssl.crt and put the server.key file in the conf/extra/ssl.key folder
You may need to uncomment the ca-bundle line in httpd-ssl.conf if your CA authority requires you to use a ca-bundle.crt file:
SSLCACertificateFile C:/ptc/HTTPServer/conf/extra/ssl.crt/ca-bundle.crt
All,
All I am trying to do is remove or replace the self-signed certificate with the one I got from my security department. I was hoping that all I need to do is to modify httpd-ssl.conf.
Thanks,
Mitch
You do that in the way that I described in my last response to you.
You may not need to do the CSR step if you already have the .csr and .key files, but Public Key encryption requires you to have both the .key and .crt files on your apache server - they are a matched pair. The .key file is private to your server and the .crt file is what gets presented to your clients as the public key for your server.
If your CA requires you to do so, then you may also need to add their ca-bundle.crt file into your apache loadpoint's ssl.crt folder along with the server.crt file.
You must hence put both the .key and the matching .crt files into place in the directories I outlined previously and then restart Apache, it is nothing to do with the httpd-ssl.conf (unless you need to uncomment the ca-bundle.crt line)
Gary,
I started off and gave my security department a csr and they gave me a cer file. PTC had me do a self-signed certificate. I want to replace the self-signed with the cer. Why would I redo creating a csr and key file?
Thanks,
Mitch
The process to create the .csr file should also create the .key file (as per my previous instructions) - you need this .key file to go with the .crt file your security dept have returned to you.
Hi Gary,
I understand that and did that. "
openssl req -new -key jgplink.wmata.local.com.key -out jgplink.wmata.local.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----"
Mitch
if you have put the server.key file into the conf/extra/ssl.key folder and the server.crt file into conf/extra/ssl.crt (and the ca-bundle.crt file if needed) then you should be done.
Restart Apache - if it does not work, check your apache error log for reasons why.
Yes that part works fine. This is all part of the self-signed portion. I am trying to replace the self-signed certificate with the one my security department gave me to use.
Basically, the simple solution was to copy the certificate to ssl.crt folder, copy the .key file to the ssl.key folder and modify httpd-ssl.conf to reflect those changes. Also, be sure to do a keytool import into the keystore with the -trustcacerts parameter.