How to install a private SSL certificate
Hi there everyone! Over the past year or so, I've seen a lot of discussion dealing with getting third-party SSL certificates to work in ServiceDesk. Within that discussion, many of you have had a terrible time getting it to work properly, and some I don't think ever got it to work at all. I myself didn't have the need to mess with it, so I've never investigated the problem. However, that has now changed.
I believe part of the problem is that you are expected to either use the certificate generated by ServiceDesk itself when you enable an https port (self-signed), or to go through a third-party certificate authority like GoDaddy, Verisign, etc. For those vendors, the instructions we've seen several times for installing the certificates may work fine. However, some people may want to use an internal CA, such as the certification services provided in Windows Server 2003. That service integrates with Active Directory in order to authorize itself to all domain member computers as a Trusted Root Authority (meaning no manual certificate installation on end user PCs), and offers a much better level of security verification than a self-signed certificate can offer.
Today my boss instructed me to see how the SSL setup for ServiceDesk could work using a certificate generated from Windows Server 2003 running Certificate Services. It took me a while, but I was finally able to do so, so now I'm going to share what I learned. This process is going to assume that you are currently running ServiceDesk in standard http (non-SSL) mode. I will not list instructions here for setting up Certificate Services in Server 2003, because it's really beyond the scope of this forum. But don't worry, it's fairly quick and easy to do, and there are plenty of articles online that show you how to do it. Now, let's go create a certificate!
[list=1:173610beb1] * Shutdown ServiceDesk if it is currently running
* Open a command prompt and navigate to C:\AdventNet\ME\ServiceDesk\jre\bin (this path may vary depending on where you installed SDP)
* Execute the following command (you may use an alias other than "tomcat" if you want):
keytool -genkey -alias tomcat -keyalg RSA -keystore sdp.keystore
* Enter a keystore password. Then when instructed to enter first and last name, DON'T. Type in the name of the server you're running ServiceDesk on. I would personally recommend using the FQDN, but you could use the basic hostname as well. Use whichever one your users are most likely to use. Hostname is easier to type, but FQDN may be necessary in order to be accessible across multiple networks. Continue filling out the other details as you see fit. I would recommend using the same password for both the key and keystore. If you goofed up somewhere, just delete the sdp.keystore file and run the command again to recreate the file.
* Execute the following command (you will be prompted to enter the keystore password you just created):
keytool -certreq -keyalg RSA -alias tomcat -file newkey.txt -keystore sdp.keystore
* Open the newkey.txt file in Notepad or another text editor, and copy the contents to the clipboard
* Open Internet Explorer and navigate to http://caserver/certsrv where "caserver" is the name of the Windows Server 2003 system where you have installed Certificate Services. I'm guessing you'll need to be a domain administrator in order to request a certificate, but I'm not 100% sure on that.
* Click "Request a certificate" and select "advanced certificate request"
* Click the middle option, "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
* Paste the contents of that newkey.txt file into the first text entry box, change the Certificate Template selection to "Web Server", and click Submit
* You should now see the download links for your certificate. Click the link that says "Download certificate chain" and save the file (certnew.p7b) to same directory you're in with your command prompt window, which by default is C:\AdventNet\ME\ServiceDesk\jre\bin.
* Click the Home link in the upper right corner of the certificate web page and click "Download a CA certificate, certificate chain, or CRL". Then click "Download CA certificate" and save the file to the same directory as in the previous step. I would recommend naming this file "cacert.cer" so as to not confuse it with the other certificate. You can now close Internet Explorer.
* Back in the command prompt, execute the following command:
keytool -import -alias tomcat -keystore sdp.keystore -trustcacerts -file certnew.p7b
* Now here's the major step that's been missing. You must add your private CA's root certificate to the list of trusted CAs in the Java cacerts file, or else ServiceDesk will not start with the main certificate in place. To do so, execute the following command (the password, when prompted, is changeit , and when it asks you if you want to authorize it, type yes ):
keytool -import -alias myprivateca -keystore ..\lib\security\cacerts -file cacert.cer
* Copy the sdp.keystore file from C:\AdventNet\ME\ServiceDesk\jre\bin to C:\AdventNet\ME\ServiceDesk\server\default\conf, overwriting the existing file if there is one
* Back in the command prompt window, navigate to C:\AdventNet\ME\ServiceDesk\bin and run the following command (port 443 is the standard https port, but you may use a different one if you like):
changeWebServerPort.bat 443 https
* Open the server.xml file from C:\AdventNet\ME\ServiceDesk\server\default\deploy\jbossweb-tomcat50.sar in a text editor. Find the "keystorepass" parameter and change the value from "sdpsecured" to whatever the password is that you defined for the keystore file earlier.
* All done! Restart ServiceDesk for all changes to take effect. You should now have an SSL connection to ServiceDesk without the hassle and cost of a big name internet CA, which is really overkill anyway, and without the lack of security that self-signed certificates have.
Well, I hope I was able to clearly explain everything here. These instructions may apply to installing certificates from other sources as well, with a bit of tweaking. The main thing here is that if you use some sort of private, local CA system to create your certificates, you need to add it to the authorized CA list in Java, or else any keystores you populate with the certificates generated by it won't work in ServiceDesk.
Anyway, I certainly love a good challenge, and this proved to be one. Now I just hope somebody else can benefit from all my hard work. :D
I believe part of the problem is that you are expected to either use the certificate generated by ServiceDesk itself when you enable an https port (self-signed), or to go through a third-party certificate authority like GoDaddy, Verisign, etc. For those vendors, the instructions we've seen several times for installing the certificates may work fine. However, some people may want to use an internal CA, such as the certification services provided in Windows Server 2003. That service integrates with Active Directory in order to authorize itself to all domain member computers as a Trusted Root Authority (meaning no manual certificate installation on end user PCs), and offers a much better level of security verification than a self-signed certificate can offer.
Today my boss instructed me to see how the SSL setup for ServiceDesk could work using a certificate generated from Windows Server 2003 running Certificate Services. It took me a while, but I was finally able to do so, so now I'm going to share what I learned. This process is going to assume that you are currently running ServiceDesk in standard http (non-SSL) mode. I will not list instructions here for setting up Certificate Services in Server 2003, because it's really beyond the scope of this forum. But don't worry, it's fairly quick and easy to do, and there are plenty of articles online that show you how to do it. Now, let's go create a certificate!
[list=1:173610beb1] * Shutdown ServiceDesk if it is currently running
* Open a command prompt and navigate to C:\AdventNet\ME\ServiceDesk\jre\bin (this path may vary depending on where you installed SDP)
* Execute the following command (you may use an alias other than "tomcat" if you want):
keytool -genkey -alias tomcat -keyalg RSA -keystore sdp.keystore
* Enter a keystore password. Then when instructed to enter first and last name, DON'T. Type in the name of the server you're running ServiceDesk on. I would personally recommend using the FQDN, but you could use the basic hostname as well. Use whichever one your users are most likely to use. Hostname is easier to type, but FQDN may be necessary in order to be accessible across multiple networks. Continue filling out the other details as you see fit. I would recommend using the same password for both the key and keystore. If you goofed up somewhere, just delete the sdp.keystore file and run the command again to recreate the file.
* Execute the following command (you will be prompted to enter the keystore password you just created):
keytool -certreq -keyalg RSA -alias tomcat -file newkey.txt -keystore sdp.keystore
* Open the newkey.txt file in Notepad or another text editor, and copy the contents to the clipboard
* Open Internet Explorer and navigate to http://caserver/certsrv where "caserver" is the name of the Windows Server 2003 system where you have installed Certificate Services. I'm guessing you'll need to be a domain administrator in order to request a certificate, but I'm not 100% sure on that.
* Click "Request a certificate" and select "advanced certificate request"
* Click the middle option, "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file."
* Paste the contents of that newkey.txt file into the first text entry box, change the Certificate Template selection to "Web Server", and click Submit
* You should now see the download links for your certificate. Click the link that says "Download certificate chain" and save the file (certnew.p7b) to same directory you're in with your command prompt window, which by default is C:\AdventNet\ME\ServiceDesk\jre\bin.
* Click the Home link in the upper right corner of the certificate web page and click "Download a CA certificate, certificate chain, or CRL". Then click "Download CA certificate" and save the file to the same directory as in the previous step. I would recommend naming this file "cacert.cer" so as to not confuse it with the other certificate. You can now close Internet Explorer.
* Back in the command prompt, execute the following command:
keytool -import -alias tomcat -keystore sdp.keystore -trustcacerts -file certnew.p7b
* Now here's the major step that's been missing. You must add your private CA's root certificate to the list of trusted CAs in the Java cacerts file, or else ServiceDesk will not start with the main certificate in place. To do so, execute the following command (the password, when prompted, is changeit , and when it asks you if you want to authorize it, type yes ):
keytool -import -alias myprivateca -keystore ..\lib\security\cacerts -file cacert.cer
* Copy the sdp.keystore file from C:\AdventNet\ME\ServiceDesk\jre\bin to C:\AdventNet\ME\ServiceDesk\server\default\conf, overwriting the existing file if there is one
* Back in the command prompt window, navigate to C:\AdventNet\ME\ServiceDesk\bin and run the following command (port 443 is the standard https port, but you may use a different one if you like):
changeWebServerPort.bat 443 https
* Open the server.xml file from C:\AdventNet\ME\ServiceDesk\server\default\deploy\jbossweb-tomcat50.sar in a text editor. Find the "keystorepass" parameter and change the value from "sdpsecured" to whatever the password is that you defined for the keystore file earlier.
* All done! Restart ServiceDesk for all changes to take effect. You should now have an SSL connection to ServiceDesk without the hassle and cost of a big name internet CA, which is really overkill anyway, and without the lack of security that self-signed certificates have.
Well, I hope I was able to clearly explain everything here. These instructions may apply to installing certificates from other sources as well, with a bit of tweaking. The main thing here is that if you use some sort of private, local CA system to create your certificates, you need to add it to the authorized CA list in Java, or else any keystores you populate with the certificates generated by it won't work in ServiceDesk.
Anyway, I certainly love a good challenge, and this proved to be one. Now I just hope somebody else can benefit from all my hard work. :D
Topic Participants
Bradley Munsen
ServiceDesk Plus
yossarian_me
Girish
Rich Hawley