2) Certificates


A certificate is, simply put, a form of identification software uses to identify it as trustworthy when it interacts with other software.

This trust is established by a Certificate Authority, who provide a certificate after verifying that the software in question has not been tampered with by a 3rd party. Generally Certificate Authorities charge a fee in exchange for this service.

Pleasant Password Server comes with a self-signed certificate. This means the Certicate Authority verifying the software is the developer of the software (Pleasant Solutions). Self-signed certificates often create SSL warnings, as seen below.

Self-Signed Certificate (default)

For internal use, a self-signed certificate may provide adequate security within your organization. Pleasant Password Server uses a self-signed certificate by default with a name of PasswordServer_Temporary_Placeholder_Certificate.

Security Warnings

However, because of browser security policies this certificate will generate an error in your browser, even if installed into the trusted root certificate store. This is because the name of the certificate does not match the root address in the address bar.

Chrome Browser

Firefox Browser

Internet Explorer Browser

For additional security, or to make the Pleasant Password Server admin site available using an external domain name, consider purchasing a certificate from a reputable Certificate Authority.

To prevent further error messages such as this, you can add a permanent certificate exception in your browser.

Importing a new certificate

For Password Server version 4.1.1 or earlier, please refer to these these instructions for importing a self-signed certificate.

To change the certificate that Password Server uses, run the Pleasant Service Configuration Utility that was packaged and installed with the server. By default, it can be accessed via the Start menu:

Programs -> Pleasant Password Server -> Service Configuration

To use your own certificate, follow these steps:

  1. Start the Service Configuration Utility.
  2. Click Certificate Configuration.
  3. Click Import Certificate.
  4. Browse for and select the certificate file (must be a *.pfx or *.p12 private key certificate file).
  5. Enter the password for your certificate.
  6. Restart the Password Server service (click here for instructions).
  7. Point your browser at the server.

 

The certificate used can be reverted back to the default placeholder certificate at any time by clicking the Clear button within the Certificate Configuration section of the Service Configuration Utility.

This setting will persist through future updates of Pleasant Password Server.

Importing a new certificate - Legacy versions (Versions 4.1.1 and earlier) 

To avoid the certificate error page on an intranet, you must configure Pleasant Password Server to use a certificate name that matches your computer name.

  1. Stop the Pleasant Password Server service.
    • Open the Services admin control panel.
    • Find Pleasant Password Server.
    • Right-click and click Stop.
  1. Find the name of your computer.
    • Open the System control panel.
    • Right-click on My Computer and select Properties... or press Windows+Pause.
    • Look for the Computer name, domain, and workgroup settings.
  2. Open and modify the Pleasant Password Server configuration file.
    • By default, it will be in C:\Program Files (x86)\Pleasant Solutions\Pleasant Password Server\PassMan.WindowsService.exe.config
      • NOTE: To edit and save the file, you may need to run your text editor (such as Notepad) with administrative privileges; right-click the program file and click Run as adminstrator.
    • Find the following section and change PasswordServer_Temporary_Placeholder_Certificate to your computer name.

<serviceCertificate
    findValue="PasswordServer_Temporary_Placeholder_Certificate"
    x509FindType="FindBySubjectName"
    storeLocation="LocalMachine"
    storeName="Root" />

  1. Save and close the config file.
  2. Restart the Pleasant Password Server service.

 

Now, to get back to the Pleasant Password Server admin page securely, use https://<hostname>:10001

Installing the certificate on other computers

The last optional step is to install the certificate on other networked computer workstations. This can be done by exporting the certificate from the server computer and importing it on other computers.

  1. Open the Microsoft Management Console (MMC).
    • Type mmc.exe in the Start menu search box or open a Run... dialog, type mmc.exe and click OK.
  2. Click File -> Add/Remove Snap-in...
  3. Add the Certificates snap-in.
    • [Vista/7] Click Certificates from the left pane and click Add.
    • [XP] Click Add... then select Certificates and click Add.
  4. Select Computer Account and click Next.
  5. Select Local Computer and click Finish.
  6. Exit the open dialog(s).

 

In the list of folders on the left, the top folder should be Personal followed by Trusted Root Certification Authorities. These folders represent the various certificate stores for the local computer.

  1. Open Trusted Root Certificate Authorities -> Certificates.
  2. Locate the certificate with your computer name.
  3. Right-click on the certificate and select All Tasks -> Export...
  4. Follow the Certificate Export Wizard to save the certificate file.
    • Select: No, do not export the private key
    • Select: Base-64 encoded X.509 (.cer)
  5. Specify a location and file name for the certificate.

 

Securely transport the certificate to your other workstation so that it can be imported. Use the MMC Certificate snap-in as above.

  1. Right-click on Trusted Root Certification Authorities and select All Tasks -> Import...
  2. Select your certificate file.
  3. Complete the Certificate Import Wizard.
Tag page
You must login to post a comment.