Knowledgebase:
SSL Certificate Installation on the FileCatalyst Server Using a PFX File
Posted by Aly Essa, Last modified by Aly Essa on 20 April 2018 02:46 PM

Overview

When buying a certificate from a certificate vendor, you will receive or download your certificate in one of several file formats depending on who you purchased it from and the purpose you requested it for.  You need to buy or have a certificate for FileCatalyst Server authentication. The FileCatalyst Server will not be on the list of selectable servers when you order your certificate, so you will likely need to choose this from the vendor's menu.

We prefer using the PFX method as it is the easiest method to work with. For the FileCatalyst Server we need the following components:

  • Certificate in PKCS#7 format with a .pem  extension.
  • Private Key file with a .key or .pvk extension.
  • Private Key password to open the Private Key file and Certificate. The password must be 6-8 characters.

PFX Format:

Your PFX certificate will have a name of <yourdomainname>.pfx. This PFX file is a container file (personal information exchange file) that can hold a variety of security elements including Application Certificates, CA Certificates, and Private Keys, among others.  If you receive this type of file, it will include your Private Key, Application Certificate, and may contain CA Certificates that make up the Certificate Chain or the path from your Application Certificate to the Trusted Authority Root Certificate.

The Root Certificate is also known as a Trust Anchor. It is self-signed and has been issued by a Trusted Authority such as Verisign, Thawte, GoDaddy and others. It is already installed on your server and also on the remote computers running the client software accessing your server.

For your FileCatalyst Server, you need to extract the Server Certificate and the Private Key from the PFX file and create separate files for each of these elements. The two files could be called <yourpemfilename>.pem and <yourkeyfilename>.key respectively. 

Environment

FileCatalyst Server v3.5 and later.

Resolution

Install OpenSSL:

  1. Download the OpenSSL installer from one of the mirrors located at https://wiki.openssl.org/index.php/Binaries. The example install directory referenced in this article is C:\OpenSSL\.

  2. Follow the installation wizard to complete the rest of the installation.

  3. Make sure that C:\OpenSSL\bin\ has been added to your Windows Environment PATH Variable. This will make the OpenSSL command accessible from the Command Prompt.

PFX Solution:

  1. Give yourself access to the required security elements in the PFX file:
    1. Install the Server Certificate and the Certificate Chain into your Windows environment:
      1. Import the <yourdomainname>.pfx file onto your computer and double-click on the file, or right-click on the file and select Install PFX. The Certificate Import Wizard will launch. Hit Next.
      2. In the next window, there will be a prompt to enter a password for the Private Key. Make sure your password does not exceed 8 characters. Hit Next.
      3. The next set of options available will require you to select the location of where the certificates store are kept. Choose your preferred option and hit Next. We recommend that you use the Personal Store at the local machine level.
      4. Click the Finish button, to complete the import. Windows Keystore now contains the security elements found in the PFX file.

    2. Use the Windows Certificate Manager (certmgr.msc) software to export the security elements into a new encrypted PFX file. 
      1. Open the Run Command Box and launch the Certificate Manager by typing certmgr.msc and clicking OK.
      2. In the Certificate Manager, double-click on the imported certificate to explore the details. You can navigate to the Personal Store and look in there for your installed Certificate.
      3. On the top menu bar navigate to the Details tab.
      4. Click Copy to File. This should launch the Certificate Export Wizard. Click Next to advance.
      5. In the Export Private Key section, select Yes, export the private key radial and click Next. This gives you a password you will use in the subsequent steps.



      6. From the Export File Format section, Include all certificate in the certification path if possible, and Export all extended properties. Click Next to proceed.


      7. Enter the password from Step 1a-ii.
      8. Save the file to the directory you will install OpenSSL, for example, C:\OpenSSL\<yournewfilename>.pfx.

  2. Extracting the required security elements from the new PFX file:
    1. Extract the private key from the PEM container file to the final Private Key file format required by FileCatalyst Server. This does not contain any certificates.
      1. Open Command Prompt in administrator mode.
      2. Navigate to the OpenSSL installation directory. In this example. it is C:\OpenSSL\.
      3. Run the following command:

        C:\OpenSSL> bin\openssl pkcs12 -in <yournewfilename>.pfx -nocerts -out <yourpemfilename>.pem

      4. The next step will prompt for the Import Password, use the password used in the previous section 1a-ii). When prompted for the PEM pass phrase, use the same value:

        Enter Import Password:
        MAC verified OK
        Enter PEM pass phrase:
        Verifying - Enter PEM pass phrase:

      5. The resulting PEM file will be encrypted using a new password (PEM passphrase) you will be asked to enter.

    2. Extract only your (public) Server Certificate in the PFX file to the final certificate file format required by FileCatalyst Server.
      1. Open Command Prompt in administrator mode.
      2. Drill into the OpenSSL installation directory. In this example. it is C:\OpenSSL\.
      3. You will need to provide the PEM passphrase to access the PEM container file. The resulting file will be in an RSA format. Be sure the file type suffix for this file is .key. Run the following command:

        C:\OpenSSL> bin\openssl rsa -in <yourpemfilename>.pem -out <yourkeyname>.key
        Enter pass phrase for <yourpemfilename>.pem:
        writing RSA key

      4. The resulting file will be in an RSA format. Be sure the file type suffix for this file is .key.

    3. Extract your Server Certificate (no keys) from the PFX file to a PEM container file. The file type suffix for the resulting file should be .pem.  Provide the password you entered in the certificate manager when creating the new PFX file when asked to enter Import Password.
      1. Open Command Prompt in administrator mode.
      2. Drill into the OpenSSL installation directory. In this example. it is C:\OpenSSL\.
      3. Run the command:

        C:\OpenSSL> bin\openssl pkcs12 -in <yournewfilename>.pfx -clcerts -nokeys -out <yourpemfilename>.pem
        Enter Import Password:
        MAC verified OK


  3. Import the files into the FileCatalyst Server. In step b) you have obtained your Certificate in .pem format, in step c) you have a private key file in .key format and you know your password to access the .pem container.

 

NOTE: Prior to release v3.6, you must shut down your FileCatalyst Server application (not the physical platform or Operating System) and restart it for the new certificate file and private key file to take effect.

If you are having issues with these instructions, please check the server log file FileCatalystDDMMYYUsr.single.log (where DDMMYY is the date stamp within the filename) for the following text "Exception thrown validating certificate details" for more details. Submit a ticket at http://support.filecatalyst.com.