cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - You can subscribe to a forum, label or individual post and receive email notifications when someone posts a new topic or reply. Learn more! X

Apache, ProjectLink and SSL Certificates not trusted

mkohn
3-Newcomer

Apache, ProjectLink and SSL Certificates not trusted

All,

I ran openssl to generate a certificate request that I gave to our security department. They gave me a server.cer back to use as my SSL certificate. Since I never worked with installing SSL on a Linux Apache system I reached out to PTC tech support. They had me follow document CS134592. I mentioned to them I did not need a self-signed and had misgivings in running this. SSL got deployed in Apache. No matter how many keytool iterations I run, I cannot replace the self-signed cert with the one I received from our internal CA. I also found document CS158480 that details exactly what to do which I followed word by word. This also did not help.

Has anyone been through this before and have a solution? Thanks in advanced.

Mitch

15 REPLIES 15
GaryMansell
12-Amethyst
(To:mkohn)

Surely all you need to do is remove the self signed cert from your java keystore?

keytool -delete -alias <cert name> -keystore <ckeystore>

Then you should be good to go, the whole point of Pukka SSL certs is that they are already trusted by both your browser and Java so you don't need to add this one.

mkohn
3-Newcomer
(To:GaryMansell)

Hi Gary,

I am new with working with Linux and keytools. I went through and removed any certs I added over the last few days and the self-signed is still showing up.

Any other ideas? Is it some configuration file I need to change somewhere else?

Thanks,

Mitch

GaryMansell
12-Amethyst
(To:mkohn)

If it it still showing up when you list the certificates in your Java keystore then you have not deleted it.

There are several keystore locations - did you check that the self signed cert does not exist in any of them?

mkohn
3-Newcomer
(To:GaryMansell)

I deleted them from Java/jre/lib/security in cacerts and jssecacerts. Where else are keystores located. Thanks! BTW, so far your answers are better than PTC support.

GaryMansell
12-Amethyst
(To:mkohn)

OK - those are common ones, did you perhaps create a keystore to put the self signed certificate in?

But - I guess the question is, how do you know that the self signed certificate is still in the Java keystore after you deleted it?

Here is a page outlining commands for managing your keystore: The Most Common Java Keytool Keystore Commands

mkohn
3-Newcomer
(To:GaryMansell)

 

So I found the self-signed certificate here: /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.crt] which I verified by running this command openssl x509 -noout -text -in server.crt.

 

I converted the file from security this way: openssl x509 -inform DER -in ams_ssl.cer -out ams_ssl.pem

How do I replace the self-signed with this one? What about the server.key? apchectl will not start if I rename ams_ssl.pem to server.crt which is in httpd-ssl.conf. Therefore if I replace this line:

 

SSLCertificateFile /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.crt/server.crt with the my certificate and comment out SSLCertificateKeyFile /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.key/server.key.

I found that did not work either. Am I even in the ballpark now?

 

GaryMansell
12-Amethyst
(To:mkohn)

I presumed that you had already put the new Pukka Apache certificate and key files into place on your Windchill Apache server...

If you are asking how to create and put a pukka certificate and key file into place on your Apache server, you need to do something like this (this is what I use for Windows machines, Linux will be similar):

Create the CSR and KEY files - the CSR is used to create the .CRT file by your certification authority:

C:\ptc\HTTPServer\bin\openssl.exe req -config C:\ptc\HTTPServer\conf\openssl.cnf -new -newkey rsa:2048 -nodes -keyout C:\Temp\server.key -out C:\Temp\server.csr

Enter the information specific to your server. Don't enter a password in the step above to save the step of removing it later from the key.

Generate certificate on the CA website using the data from the CSR file and move the server.crt file and the ca-bundle.crt file (if necessary) to the Apache Server folders conf/extra/ssl.crt and put the server.key file in the conf/extra/ssl.key folder

You may need to uncomment the ca-bundle line in httpd-ssl.conf if your CA authority requires you to use a ca-bundle.crt file:

SSLCACertificateFile C:/ptc/HTTPServer/conf/extra/ssl.crt/ca-bundle.crt

mkohn
3-Newcomer
(To:mkohn)

All,

All I am trying to do is remove or replace the self-signed certificate with the one I got from my security department. I was hoping that all I need to do is to modify httpd-ssl.conf.

Thanks,

Mitch

GaryMansell
12-Amethyst
(To:mkohn)

You do that in the way that I described in my last response to you.

You may not need to do the CSR step if you already have the .csr and .key files, but Public Key encryption requires you to have both the .key and .crt files on your apache server - they are a matched pair. The .key file is private to your server and the .crt file is what gets presented to your clients as the public key for your server.

If your CA requires you to do so, then you may also need to add their ca-bundle.crt file into your apache loadpoint's ssl.crt folder along with the server.crt file.

You must hence put both the .key and the matching .crt files into place in the directories I outlined previously and then restart Apache, it is nothing to do with the httpd-ssl.conf (unless you need to uncomment the ca-bundle.crt line)

mkohn
3-Newcomer
(To:mkohn)

Gary,

I started off and gave my security department a csr and they gave me a cer file. PTC had me do a self-signed certificate. I want to replace the self-signed with the cer. Why would I redo creating a csr and key file?

Thanks,

Mitch

GaryMansell
12-Amethyst
(To:mkohn)

The process to create the .csr file should also create the .key file (as per my previous instructions) - you need this .key file to go with the .crt file your security dept have returned to you.

mkohn
3-Newcomer
(To:GaryMansell)

Hi Gary,

I understand that and did that. "

openssl req -new -key jgplink.wmata.local.com.key -out jgplink.wmata.local.com.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----"

Mitch

GaryMansell
12-Amethyst
(To:mkohn)

if you have put the server.key file into the conf/extra/ssl.key folder and the server.crt file into conf/extra/ssl.crt (and the ca-bundle.crt file if needed) then you should be done.

Restart Apache - if it does not work, check your apache error log for reasons why.

mkohn
3-Newcomer
(To:GaryMansell)

Yes that part works fine. This is all part of the self-signed portion. I am trying to replace the self-signed certificate with the one my security department gave me to use.

mkohn
3-Newcomer
(To:mkohn)

Basically, the simple solution was to copy the certificate to ssl.crt folder, copy the .key file to the ssl.key folder and modify httpd-ssl.conf to reflect those changes. Also, be sure to do a keytool import into the keystore with the -trustcacerts parameter.

Announcements


Top Tags