cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Need to share some code when posting a question or reply? Make sure to use the "Insert code sample" menu option. Learn more! X

Windchill SSL Issue : CA Signed SSL Certificate is missing intermediate certificate

Siddharth_Jhs
14-Alexandrite

Windchill SSL Issue : CA Signed SSL Certificate is missing intermediate certificate

Hi Community,

I have recently configured Windchill Server for my client with SSL CA Signed certificate downloaded from DigiCert.

I have replaced server.crt and server.key in Apache and restarted Windchill Server. Currently url is showing secured connection inside VM(might be because SSL certificate is installed on server) but if I am trying to access the URL outside VM, it is showing secured connection but not following certificate hierarchy. (Root-Intermediate-Individual) - Issue is intermediate certificate is missing if accessed outside VM. Attaching Screenshots for reference. Kindly suggest how I can resolve this issue. 

 

 

Thanks,
Siddharth

5 REPLIES 5

This is not a Windchill issue, specifically. You would do better to ask the Apache community, or more generally the web server admin community.  

My guess is that the domain name in the cert is configured within the VM but not externally to the VM.

Are the chain certs in the trust store on the non-servers? In your server.crt is it just the end cert? if so, it should be the concatenation of the entire chain of certs

 

You can do this with cmd (or manually create a text file concatenating all certs)

type windchillserver.crt intermediate1.crt intermediate2.crt root.crt > concatenatedserver.crt

 

The concatenated server cert should look something like this:

-----BEGIN CERTIFICATE-----
encrypted base 64 block for windchill server certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encrypted base 64 block for intermediate 1 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encrypted base 64 block for intermediate 2 certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
encrypted base 64 block for root certificate
-----END CERTIFICATE-----

 

Also, be sure to import your chain into your java keystore. I always start with the root and work down the chain to the server cert. Once you import and accept trust of the root cert, java should trust each subsequent cert... if it doesn't, you know there is a problem with your chain

mmeadows-3
15-Moonstone
(To:jbailey)

I am not an SSL expert by any means.  What I understand is from trial and error (a lot of error), and multiple technical support calls.  It probably isn't the only way to make SSL work, just the one I've stumbled upon.

 

First step is to export all the certs in the chain individual to PEM format.  If your server key pair is in pkcs12 format (a *.pfx file), then it takes a couple of steps to get the private key split out.

pushd %wt_home%\..\HTTPServer\bin

openssl pkcs12 -in D:\PTC\Certs\server.pfx -nocerts -out D:\PTC\Certs\server.temp.key

openssl rsa -in D:\PTC\Certs\server.temp.key -nocerts -out %wt_home%\..\HTTPServer\conf\server.key

openssl pkcs12 -in D:\PTC\Certs\server.pfx -clcerts -nokeys -out D:\PTC\Certs\server.crt

 

If there is a chance this will installation include Navigate, they need to be built in a very specific manner.

 

  • As @jbailey suggests, Windchill (Tomcat) needs the full public cert chain loaded into Java's jssecacerts file.

I use Keystore Explorer to do this on Windows.

 

  • server.key is just the server's private key.

 

  • server.crt should only include the server's public certificate.

I've never tried @jbailey's suggestion to put the full cert chain in the server's public cert file.

Maybe that eliminates having to load the certs on root and intermediate certs in the clients' computer certificate stores?

 

  • The ca-bundle.crt file should include the root and intermediate certs in order, but not the server's cert.

https://www.ptc.com/en/support/article/CS342849

Yours is probably correct, but it wasn't mentioned.

Again, all these files need to be in PEM format.

The ca-bundle.crt can be built manually using copy/paste or via command line.

type {root}.crt {int-1}.crt {int-2}.crt>%wt_home%\..\HTTPServer\conf\ca-bundle.crt

Or

copy {root}.crt + {int-1}.crt + {int-2}.crt %wt_home%\..\HTTPServer\conf\ca-bundle.crt

 

SSL configuration for Windchill and Apache is in several articles and the help center.  This article is if Navigate will be in the mix.

https://www.ptc.com/en/support/article/CS288050

 

Finally, I load the cert chain into Windows via Certificate Manager so the browser will trust the full cert chain.

This all assumes that you have the root, int-1 and int-2 certs that align to your server cert.  And that those certs are are installed on the Windows Computer Certificate Manager of the server, in the appropriate paths: Trusted Root CAs and Intermediate CAs.  I put the server's cert in Trusted Devices.  It works, but I'm not sure that is where it is supposed to be placed.

 

FYI: This article shows the correct way of making changes to Apache's OOTB configuration files.

https://www.ptc.com/en/support/article/cs265514

Use customTemplates or your changes will be wiped out the next time an ANT configuration command is run against Apache.

To deploy the changes: ant -f %wt_hom%\..\HTTPServer\config.xml reconfigure

 

Also, disabling all except TLS 1.2 and 1.3 is important for security today.  Not sure why PTC isn't shipping Windchill's Apache with this already configured...

https://www.ptc.com/en/support/article/CS355457

Agreed on the TLS settings and so many bad ciphers are ootb on!

Concatenating the certs into the server.crt file presents the entire chain to the client.

 

You can test this with an openssl call (go to openssl/bin folder)

 

openssl s_client -connect <server fqdn>:443 

 

Try without the concatenated cert, The call should return the SSL info. Above the SSL cert returned, it will include the chain - with just the server cert it will look something like this:

jbailey_0-1704552853920.png

 

With the concatenated cert you can see all the presented certificates:

jbailey_1-1704552976086.png

 

 

 

Announcements


Top Tags