The PasswordManagerPro web site lists the following FAQ on how to setup an SSL certificate that is signed by a trusted Certificate Authority.
However this discusses the use of either KeyTool or OpenSSL, neither of which are installed on a windows server and the article does not discuss the use of a Microsoft CA which surely is a very common deployment scenario?
I worked on this for quite a while getting quite frustrated with the poor instructions provided in the FAQ. Once solved, the solution is amazingly easy and I thought it worth blogging about it.
Step 1: Create a certificate template that allows you to export the private key.
Manage the certificate templates
Duplicate template , web server certificate as a Windows Server 2008 Enterprise template and give the template a new Name, I called mine PMP in my test lab.
Edit the template security to allow the PMP server to request a certificate
On the request handling tab check “allow private key to be exported” and click OK to save the template
Close the “manage template” window and then publish the certificate template to the CA by right clicking in the certificate template pane and selecting New\Certificate Template to Issue
Select the template you just created and click OK
Log off the CA
Step 2: Issue the certificate to the PMP server.
Logon to the PMP server and open a new MMC
Add the certificates template to the MMC and target the computer account.
Request a new certificate in the computers personal store
Click Next on the welcome screen and Next on the enrolment screen
Select the template you created in step 1
Step 3: Export the certificate and it’s private key
Click next on the welcome screen and select the “Yes, export the private key” radio button and click Next.
Accept the defaults and click next
Check the “Password” box and enter a password – this password will be used when configuring the PMP web service so make sure you record this securely. We can even store a copy of this key in the PMP configuration of course.
Set the output filename
Click finish to export the certificate with the associated private key
Step 4: Configure PMP to use the new certificate.
Stop the PMP service if it’s running
Copy the exported certificate file to the PMP/conf folder
Make a copy of the existing server.xml so you can roll back to the previous version if you need to
Edit the server.xml as follows
Locate the line keyword keystoreFile=”conf/server.keystore” keystorePass=”passtrix”
Change it to use the certificate you exported in step 2.
add the keystoreType just after the keystorePass attribute
Save the file
Start the PMP server
If you followed the procedure correctly then the server will start and when you connect, using the DNS name of the server, the new trusted certificate will be used and you won’t see the cert error any more.
That’s all folks!