Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

Home > Success Center > Web Help Desk (WHD) > Web Help Desk 12.5 Administrator Guide > Configure and manage authentication > Adding SSL Certificates to the Virtual Appliance

Adding SSL Certificates to the Virtual Appliance

Created by Steve.Hawkins, last modified by Anthony.Rinaldi on Jul 19, 2016

Views: 37 Votes: 0 Revisions: 4

You can replace the SSL certificate included with the Web Help Desk Virtual Appliance with one of your own. Web Help Desk can manipulate the original keystore.jks file when the certificate's Common Name (CN) does not match the host name.

After you create your Virtual Appliance, you can:

These instructions, including those for sudo commands, assume you have root access to the Virtual Appliance. Use the Virtual Appliance login credentials wherever a password is required in the steps that follow.

Add a self-signed SSL certificate

  1. Log on to the Virtual Appliance using the console or an SSH connection.
  2. Navigate to the WebHelpDesk folder on the virtual appliance located at:
  3. Enter the following command:

    sudo ./bin/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore ./conf/keystore_new.jks -validity daysvalid

    where daysvalid is the number of days the certificate is valid.

  4. When prompted, enter a new keystore password.

    This information is required for a later step.

  5. Enter the required information for the new certificate:

    webhelpdesk.solarwinds.com

    If you do not use the domain name for the name, you will receive certificate errors.

    • Your domain name instead of a first and last name. For example:
    • Organizational unit
    • Organization
    • City or locality
    • State or province
    • Two-letter country code

    This information is available to users accessing the Virtual Appliance through a secure connection.

  6. When prompted, enter yes to confirm your new key information.
  7. When prompted for the key password, enter the keystore password you entered in step 4.
  8. Change the keystore permissions by entering the following command:

    sudo chmod 755 ./conf/keystore_new.jks

  9. Backup and copy the keystore_new.jks file using the following command:

    sudo cp conf/keystore_new.jks conf/keystore_new.jks.backup

  10. Edit the ./conf/whd.conf configuration file.

    Change the password used in step 4 by entering:

    sudo vi conf/whd.conf

    (i to edit, <esc> to quit edit mode,:w to save edits, :q to quit the editor)

    KEYSTORE_PASSWORD=<oldpassword> KEYSTORE_PASSWORD=<newpassword>

    KEYSTORE_FILE=/usr/local/webhelpdesk/conf/keystore_new.jks

  11. Stop Web Help Desk by entering the following command:

    ./whd stop

  12. Start Web Help Desk by entering the following command:

    ./whd start

Add a certificate from a CA

  1. Log on to the Virtual Appliance using the console or an SSH connection.
  2. Navigate to the webhelpdesk folder on the virtual appliance located at:

    /usr/local/webhelpdesk

  3. Enter the following command:

    sudo ./bin/jre/bin/keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore ./conf/keystore_new.jks

  4. When prompted, enter a new keystore password.

    You will need this information for a later step.

  5. Enter the information needed for the new certificate, providing the following information:

    webhelpdesk.solarwinds.com

    If you do not use the domain name for the name, you receive certificate errors.

    • Your domain name, instead of a first and last name. For example:
    • Organizational unit
    • Organization
    • City or locality
    • State or province
    • Two-letter country code

    This information appears to users accessing the Virtual Appliance through a secure connection.

  6. Enter yes when prompted to confirm your new key information.
  7. When prompted for the key password, enter the keystore password you entered in step 4.
  8. Enter the following command:

    sudo ./bin/jre/bin/keytool -certreq -keyalg RSA -alias tomcat -keystore ./conf/keystore_new.jks -file mycertreq.csr

  9. When prompted for the key password, enter the keystore password you entered in step 4.
  10. Submit the CSR to your CA.
  11. After you download the certificate, transfer the certificate to the WebDelpDesk folder on the Virtual Appliance using a file transfer tool (such as WinSCP) and import the CA certificates.
    1. Import the Root or intermediate CA. These certificates need to be loaded in order: root first and then the intermediate.

      sudo bin/jre/bin/keytool -import -trustcacerts -alias root -file /usr/local/webhelpdesk/root.crt -keystore /usr/local/webhelpdesk/conf/keystore_new.jkssudo bin/jre/bin/keytool -import -trustcacerts -alias intermed -file /usr/local/webhelpdesk/root.crt -keystore /usr/local/webhelpdesk/conf/keystore_new.jks

    2. Import the CA Reply, the signed primary CA for Web Help Desk (tomcat):

      sudo bin/jre/bin/keytool -import -trustcacerts -alias tomcat -file /usr/local/webhelpdesk/helpdesk.sample.com.crt -keystore /usr/local/webhelpdesk/conf/keystore_new.jks

  12. Backup and copy the keystore_new.jks file using the following command:

    sudo cp conf/keystore_new.jks conf/keystore_new.jks.backup

  13. Edit the whd.conf file to specify not to use the default key store:

    sudo vi conf/whd.conf

    Press i to edit, <esc> to exit edit mode, :w to save edits, or :q to quit the editor.

  14. In the keystore settings section of the file, add a value for the KEYSTORE_FILE= setting.

    KEYSTORE_FILE=/usr/local/webhelpdesk/conf/keystore_new.jks

  15. Stop Web Help Desk by entering:

    ./whd stop

  16. Start Web Help Desk by entering:

    ./whd start

If you need additional clarification on adding a certificate from a certificate authority to your virtual appliance, see Installing a Certificate from a Certificate Authority on the Tomcat website or your CA help page. SolarWinds Customer Support can only assist you with adding a self-signed certificate to your virtual appliance.

Add an existing PFX certificate

If you currently have a certificate in PFX format (such as .pk12 or .pfx), you can import the certificate to your keystore.

The following procedure uses certificate.pk12 as an example .pfx certificate.

  1. Transfer your .pfx file to the WebHelpDesk folder on the Virtual Appliance using a file transfer tool (such as WinSCP).

  2. Create or select a target keystore for modification.

    For example, you can copy the existing keystore:

    sudo cp ./conf/keystore.jks ./conf/keystore_imported.jks

    When completed, remove the existing certificate, leaving the keystore empty.

    sudo ./bin/jre/bin/keytool -delete -alias tomcat -keystore ./conf/keystore_imported.jks

  3. Import the keypair and certificate from your .pfx file.

    sudo ./bin/jre/bin/keytool -importkeystore -srckeystore certificate.pk12 -srcstoretype PKCS12 -destkeystore ./conf/keystore_imported.jks -destkeystoretype JKS

  4. Modify the whd.conf file to use your modified keystore.

    sudo vi conf/whd.conf

  5. Change the KEYSTORE_FILE setting to:

    KEYSTORE_FILE=/usr/local/webhelpdesk/conf/keystore_imported.jks

Resolve untrusted site errors after adding certificates

If you receive an Untrusted Site error after adding a certificate, you can create a permanent exception in Firefox or install the certificate as a trusted certificate in Chrome or IE. Each browser handles security differently.

Both Chrome and Internet Explorer use the Trusted Root Certification Authorities store when verifying certificates. If you performed the steps to install the certificate for either Internet Explorer or Chrome, repeating the same steps again to use either browser is not required.

The certificate is issued for a specific domain name. If you are accessing Web Help Desk through an IP address, you will receive a security error. In this case, add an entry to the hosts file that maps the IP address to the domain where the certificate was issued.

For example:

172.31.219.83.webhelpdesk.solarwinds.com

Close all instances of your Internet Explorer or Chrome and completely clear your cache.

To create a permanent exception for Firefox:

  1. Open a browser to your Virtual Appliance using https.
  2. When the error occurs, expand I Understand the Risks.
  3. Click Add Exception.
  4. When prompted, click Confirm Security Exception.

Use Internet Explorer to install the certificate as a trusted certificate

  1. Open a browser to your Virtual Appliance using https.
  2. When the error occurs, click Continue to the website (not recommended).
  3. In the address bar, click Certificate Error.
  4. Click View Certificates
  5. In the General tab, click Install Certificate.
  6. Click Next.
  7. Select Place all certificates in the following store, and then click Browse.
  8. Select Trusted Root Certification Authorities, and then click OK.
  9. Click Next.
  10. Click Finish.
  11. When prompted to confirm installation, select Yes.
  12. Close the tab, and restart Internet Explorer.

Use Chrome to install the certificate as a trusted certificate

  1. Open a browser to your Virtual Appliance using https.
  2. When the error occurs, click Proceed Anyway.

    In Chrome version 37, click Advanced Options and then click Proceed Anyway.

  3. In the address bar, click the lock icon to view the site information.
  4. On the Connections tab, click Certificate Information.
  5. On the Details tab, click Copy to File.
  6. Click Next.
  7. Select DER encoded binary X.509 (.CER), and click Next.
  8. Enter a file name.

    By default Chrome saves the certificate in a hidden file at:

    \Users\username\AppData\Local\Google\Chrome\Applications\...

    To avoid making hidden files visible, browse to a different location to save the certificate.

  9. Click Next.
  10. Check the location of the certificate, and click Finish.
  11. In Chrome, open Settings > Advanced Settings, and click Manage certificates.
  12. Navigate to the Trusted Root Certification Authorities tab.
  13. Click Import.
  14. Click Next.
  15. Browse to the certificate you exported, and click Next.
  16. Select Place all certificates in the following store and select Trusted Root Certification Authorities.
  17. Click Next, and click Finish.
  18. When prompted, select Yes.
  19. Close the tab and restart Chrome.
 
Last modified
07:52, 19 Jul 2016

Tags

Classifications

Public