Community Tip - Learn all about PTC Community Badges. Engage with PTC and see how many you can earn! X
Hi Community,
I have recently configured Windchill Server for my client with SSL CA Signed certificate downloaded from DigiCert.
I have replaced server.crt and server.key in Apache and restarted Windchill Server. Currently url is showing secured connection inside VM(might be because SSL certificate is installed on server) but if I am trying to access the URL outside VM, it is showing secured connection but not following certificate hierarchy. (Root-Intermediate-Individual) - Issue is intermediate certificate is missing if accessed outside VM. Attaching Screenshots for reference. Kindly suggest how I can resolve this issue.
Thanks,
Siddharth
This is not a Windchill issue, specifically. You would do better to ask the Apache community, or more generally the web server admin community.
My guess is that the domain name in the cert is configured within the VM but not externally to the VM.
Are the chain certs in the trust store on the non-servers? In your server.crt is it just the end cert? if so, it should be the concatenation of the entire chain of certs
You can do this with cmd (or manually create a text file concatenating all certs)
type windchillserver.crt intermediate1.crt intermediate2.crt root.crt > concatenatedserver.crt
The concatenated server cert should look something like this:
-----BEGIN CERTIFICATE-----
encrypted base 64 block for windchill server certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encrypted base 64 block for intermediate 1 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encrypted base 64 block for intermediate 2 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encrypted base 64 block for root certificate
-----END CERTIFICATE-----
Also, be sure to import your chain into your java keystore. I always start with the root and work down the chain to the server cert. Once you import and accept trust of the root cert, java should trust each subsequent cert... if it doesn't, you know there is a problem with your chain
I am not an SSL expert by any means. What I understand is from trial and error (a lot of error), and multiple technical support calls. It probably isn't the only way to make SSL work, just the one I've stumbled upon.
First step is to export all the certs in the chain individual to PEM format. If your server key pair is in pkcs12 format (a *.pfx file), then it takes a couple of steps to get the private key split out.
pushd %wt_home%\..\HTTPServer\bin
openssl pkcs12 -in D:\PTC\Certs\server.pfx -nocerts -out D:\PTC\Certs\server.temp.key
openssl rsa -in D:\PTC\Certs\server.temp.key -nocerts -out %wt_home%\..\HTTPServer\conf\server.key
openssl pkcs12 -in D:\PTC\Certs\server.pfx -clcerts -nokeys -out D:\PTC\Certs\server.crt
If there is a chance this will installation include Navigate, they need to be built in a very specific manner.
I use Keystore Explorer to do this on Windows.
I've never tried @jbailey's suggestion to put the full cert chain in the server's public cert file.
Maybe that eliminates having to load the certs on root and intermediate certs in the clients' computer certificate stores?
https://www.ptc.com/en/support/article/CS342849
Yours is probably correct, but it wasn't mentioned.
Again, all these files need to be in PEM format.
The ca-bundle.crt can be built manually using copy/paste or via command line.
type {root}.crt {int-1}.crt {int-2}.crt>%wt_home%\..\HTTPServer\conf\ca-bundle.crt
Or
copy {root}.crt + {int-1}.crt + {int-2}.crt %wt_home%\..\HTTPServer\conf\ca-bundle.crt
SSL configuration for Windchill and Apache is in several articles and the help center. This article is if Navigate will be in the mix.
https://www.ptc.com/en/support/article/CS288050
Finally, I load the cert chain into Windows via Certificate Manager so the browser will trust the full cert chain.
This all assumes that you have the root, int-1 and int-2 certs that align to your server cert. And that those certs are are installed on the Windows Computer Certificate Manager of the server, in the appropriate paths: Trusted Root CAs and Intermediate CAs. I put the server's cert in Trusted Devices. It works, but I'm not sure that is where it is supposed to be placed.
FYI: This article shows the correct way of making changes to Apache's OOTB configuration files.
https://www.ptc.com/en/support/article/cs265514
Use customTemplates or your changes will be wiped out the next time an ANT configuration command is run against Apache.
To deploy the changes: ant -f %wt_hom%\..\HTTPServer\config.xml reconfigure
Also, disabling all except TLS 1.2 and 1.3 is important for security today. Not sure why PTC isn't shipping Windchill's Apache with this already configured...
Agreed on the TLS settings and so many bad ciphers are ootb on!
Concatenating the certs into the server.crt file presents the entire chain to the client.
You can test this with an openssl call (go to openssl/bin folder)
openssl s_client -connect <server fqdn>:443
Try without the concatenated cert, The call should return the SSL info. Above the SSL cert returned, it will include the chain - with just the server cert it will look something like this:
With the concatenated cert you can see all the presented certificates: