2) Certificates

A Certificate is, simply put, a form of identification software uses to identify it as trustworthy when it interacts with other software.

This trust is established by a well-known Certificate Authority, who provides a Certificate after verifying that the software in question has not been tampered with by a 3rd party. Usually Certificate Authorities charge a fee in exchange for this service.

Sections:

  1. Limitations of the Temporary Certificate
  2. Replacing your Temporary Certificate
  3. Importing your Certificate
    • Third-Party
    • Self-Signed
  4. Distributing your Certificate

Temporary Self-Signed Certificate

Pleasant Password Server comes with a default, Self-Signed Certificate. This means, that the Certicate Authority verifying the software, is the developer of the software (Pleasant Solutions).

Security Warnings

Using this Temporary Certificate will still generate warnings in your browser, even if it is properly installed into the Trusted Root Certificate Store. This is due to the browser security policies.

  • These warnings display, because the name of the Certificate does not match the domain, the full URL address in the address bar.

   Chrome Browser (click to enlarge)                                     Firefox Browser (click to enlarge)
Chrome-Certificate-Error-Pic.png Firefox-Certificate-Error-Pic.png

    Edge Browser (click to enlarge)                                         Internet Explorer Browser (click to enlarge)
Edge-Certificate-Error-Pic.png IE-Certificate-Error-Pic.png

Replacing Your Certificate

Consider using a purchased Certificate from a reputable Certificate Authority. This provides the an additional level of security. If making the Pleasant Password Server available in an external domain, this is the right choice.

For Temporary use, meanwhile Pleasant Password Server has provided a self-signed certificate to use as a placeholder by default, with a name of PasswordServer_Temporary_Placeholder_Certificate.

 

For Long-term use, replace this Temporary Certificate with one that matches your domain URL, by either,

  • Option A: Install a Third-Party Certificate (Recommended)
    1. Fill out a Certificate Signing Request (CSR) and submit it to a Certificate Authority. The Certificate Authority will then establish that you own the domain, and have proper control.
    2. Purchased from a Certificate Authority
    3. Import the certificate, using the Service Config Utility
    • (Optionally) Install the Certificate on other machines

  • Option B: Create a new Self-Signed Certificate
    1. For internal use, this may provide adequate security within your organization.
    2. Use an existing organization certificate, or, create on by follow this very good, detailed guide.
    3. Then, Import the Certificate, using the Service Config Utility
    4. (Optionally) Install the Certificate on other machines

 

Other considerations:

  • Self-Signed Certificates, are generally considered a less secure option than Third Party Certifcates. It is been recommended that these could be more susceptible to man-in-the-middle attacks and so you may not feel that they are as ideal for your servers used in a production environment or connected to the internet.
  • Although not usually recommended for security reasons, you can add a permanent certificate exception in your browser, to prevent further error messages such as those above.

Importing a Certificate

(versions 4.1.2+)

To change the Certificate that Password Server uses, run the Pleasant Service Configuration Utility that was packaged and installed with the server. By default, it can be accessed via the Start menu:

Programs -> Pleasant Password Server -> Service Configuration

To use your own Certificate, follow these steps:

  1. Start the Service Configuration Utility.
  2. Click Certificate Configuration.
  3. Click Import Certificate.
  4. Browse for and select the certificate file (must be a *.pfx or *.p12 private key certificate file).
  5. Enter the password for your certificate.
  6. Restart the Password Server service (click here for instructions).
  7. Point your browser at the server.

 

The Certificate used can be reverted back to the default placeholder certificate at any time by clicking the Clear button within the Certificate Configuration section of the Service Configuration Utility.

This setting will persist through future updates of Pleasant Password Server.

For Legacy Versions

(versions 4.1.1 and earlier)

To avoid the certificate error page on an intranet, you must configure Pleasant Password Server to use a certificate name that matches your computer name.

  1. Stop the Pleasant Password Server service.
  1. Find the name of your computer.
    • Open the System control panel.
    • Right-click on My Computer and select Properties... or press Windows+Pause.
    • Look for the Computer name, domain, and workgroup settings.
  2. Open and modify the Pleasant Password Server configuration file.
    • By default, it will be in C:\Program Files (x86)\Pleasant Solutions\Pleasant Password Server\PassMan.WindowsService.exe.config
      • NOTE: To edit and save the file, you may need to run your text editor (such as Notepad) with administrative privileges; right-click the program file and click Run as adminstrator.
    • Find the following section and change PasswordServer_Temporary_Placeholder_Certificate to your computer name.

<serviceCertificate findValue="PasswordServer_Temporary_Placeholder_Certificate"
    x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="Root" />

  1. Save and close the config file.
  2. Restart the Pleasant Password Server service.

 

Now, to get back to the Pleasant Password Server admin page securely, use https://<hostname>:10001

Installing Your Certificate on Other Machines

The last optional step is to install the certificate on other networked computer workstations. This can be done by exporting the certificate from the server computer and importing it on other computers.

Some customers may wish to further automate the distribution using scripts or using their directory's Group Policy.

Here are the simple steps.

  1. Open the Microsoft Management Console (MMC).
    • Type mmc.exe in the Start menu search box or open a Run... dialog, type mmc.exe and click OK.
  2. Click File -> Add/Remove Snap-in...
  3. Add the Certificates snap-in.
    • (Windows Vista/7) Click Certificates from the left pane and click Add.
    • (Other Windows versions) Click Add... then select Certificates and click Add.
  4. Select Computer Account and click Next.
  5. Select Local Computer and click Finish.
  6. Exit the open dialog(s).

 

In the list of folders on the left, the top folder should be Personal followed by Trusted Root Certification Authorities.

These folders represent the various certificate stores for the local computer.

  1. Open Trusted Root Certificate Authorities -> Certificates.
  2. Locate the certificate with your computer name.
  3. Right-click on the certificate and select All Tasks -> Export...
  4. Follow the Certificate Export Wizard to save the certificate file.
    • Select: No, do not export the private key
    • Select: Base-64 encoded X.509 (.cer)
  5. Specify a location and file name for the certificate.

 

Securely transport the certificate to your other workstation so that it can be imported. Use the MMC Certificate snap-in as above.

  1. Right-click on Trusted Root Certification Authorities and select All Tasks -> Import...
  2. Select your certificate file.
  3. Complete the Certificate Import Wizard.
Tag page
You must login to post a comment.