3) Installing a 3rd Party Certificate

Self-signed certificates can provide adequate security on small intranets or in situations with limited users and controlled environments. For larger and more general purpose use, you may want to consider purchasing a certificate so that Pleasant Password Server can be accessed by external users via a domain name (FQDN).

Know your domain name

To ensure that the certificate works with the domain name you will be using, the Common Name of the certificate must match the entire domain name or contain a wildcard (if you are going to use a subdomain).

For instance, if you want to use passwords.yourdomain.com:10001 as your URL, then your certificate should be purchased as either passwords.yourdomain.com or *.yourdomain.com. A wildcard certificate (*) can be used on any subdomain.

Installing your certificate

For Password Server versions 4.1.1 or earlier, refer to these instructions for importing a third-party certificate.

To change the certificate that Password Server uses, run the Pleasant Service Configuration Utility that was packaged and installed with the server. By default, it can be accessed via the Start menu:

Programs -> Pleasant Password Server -> Service Configuration

To use your own certificate, follow these steps:

  1. Start the Service Configuration Utility.
  2. Click Certificate Configuration.
  3. Click Import Certificate.
  4. Browse for and select the certificate file (must be a *.pfx or *.p12 private key certificate file).
  5. Enter the password for your certificate.
  6. Restart the Password Server service (click here for instructions).
  7. Point your browser at the server.

 

At any point, the certificate used can be reverted back to the default placeholder certificate by clicking the Clear button within the Certificate Configuration section of the Service Configuration Utility.

This setting will persist through future updates of Pleasant Password Server.

For legacy versions of Pleasant Password Server (versions 4.1.1 and earlier) 

Installing the certificate 

You will need to download the certificate from your certificate vendor in *.pfx format. This format contains both the public and private keys. The private key is essential as it is used by the server to create the secure connections.

  1. Open the Microsoft Management Console (MMC).
    • Type mmc.exe in the Start menu search box or open a Run... dialog, type mmc.exe and click OK.
  2. Click File -> Add/Remove Snap-in...
  3. Add the Certificates snap-in.
    • [Vista/7] Click Certificates from the left pane and click Add.
    • [XP] Click Add... then select Certificates and click Add.
  4. Select Computer Account and click Next.
  5. Select Local Computer and click Finish.
  6. Exit the open dialog(s).

 

There should be a list of folders on the left. The top folder should be Personal followed by Trusted Root Certification Authorities. These folders represent the various certificate stores for the local computer.

  1. Right-click Personal.
  2. Select All Tasks -> Import...
  3. Click Next on the Certificate Import Wizard welcome page.
  4. Click Browse to locate your certificate file.
  5. Change the file type to Personal Information Exchange (*.pfx, *.p12) to ensure you import the correct file type.
  6. Browse for and select your downloaded certificate.
  7. Make sure you enter the correct password (if any) for your certificate.
  8. Make sure that the certificate is being imported to the Personal certificate store.
Configuring the Server
  1. Stop the Pleasant Password Server service.
    • Open the Services control panel.
    • Find Pleasant Password Server.
    • Right-click and select Stop.
  2. Open and modify the configuration file.
    • By default, it will be in C:\Program Files (x86)\Pleasant Solutions\Pleasant Password Server\PassMan.WindowsService.exe.config
      • NOTE: To edit and save the file, you may need to run your text editor (such as Notepad) with administrative privileges; right-click the program file and choose Run as adminstrator.
  3. Search for the serviceCertificate section.

    • Change findValue to the name of your certificate (eg: passwords.yourdomain.com).
    • Change the storeName value to "My".
<serviceCertificate
    findValue="passwords.mydomain.com"
    x509FindType="FindBySubjectName"
    storeLocation="LocalMachine"
    storeName="My" />
  1. Save and close the config file
  2. Restart the Pleasant Password Service
    • Return to the Services control panel
    • Locate and right-click on Pleasant Password Server
    • Select Start

 

Note: Accessing the Pleasant Password Server website from addresses other than the domain of the certificate (such as https://localhost:10001) will cause the web browser to display a certificate error. This is because browsers check that the domain name in the address bar matches the name on the certificate.

Tag page
You must login to post a comment.