When buying a certificate from a certificate vendor, you will receive or download your certificate in one of several file formats depending on who you purchased it from and the purpose you requested it for. This guide will cover the installation of your Certificate on the Filecatalyst Server using a PKCS#7 Certificate (.cer or .pem or .p7b) and a Private Key (.pvk or .key)
The PKCS#7 or .P7B format is usually stored in Base64 ASCII format and the certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements. A P7B file only contains certificates and chain certificates, not the private key. This file may not contain an intermediate certificate.
Intermediate Certificates are used as a stand-in for the Certificate Authorities Root Certificate. Intermediate Certificates are used as a proxy because Root Certificate from the Certificate Authority must be kept behind numerous layers of security, ensuring its keys are absolutely inaccessible.
However, because the Root Certificate itself signed the Intermediate Certificate, the Intermediate Certificate can be used to sign the SSL Certificate and maintain the Chain of Trust.
The Root Certificate is also known as a Trust Anchor. It is self-signed and has been issued by a Trusted Authority such as Verisign, Thawte, GoDaddy, etc. It is already installed on your server and also on the remote computers running the client software accessing your server.
FileCatalyst Server Requirements
There are three pieces that are required to install an SSL Certificate on the FileCatalyst Server:
- Certificate in a PKCS#7 format with a .pem or .crt or .cer extension.
- Private Key file with a .key or .pvk extension.
- Private Key password to open the Private Key file and Certificate. The password must be 6-8 characters.
FileCatalyst Server v3.5 and later.
Note: This guide assumes that you will be using a Windows OS to perform the steps in the resolution.
- Download the OpenSSL installer from one of the mirrors located at https://wiki.openssl.org/index.php/Binaries. The example install directory referenced in this article is C:\OpenSSL\.
- Follow the installation wizard to complete the rest of the installation.
- Make sure that C:\OpenSSL\bin\ has been added to your Windows Environment PATH Variable. This will make the OpenSSL command accessible from the Command Prompt.
Convert P7B to PEM
Use the following command to convert your Intermediate and Root Certificates from a .p7b extension to .pem:
openssl pkcs7 -print_certs -in /path/to/certificate.p7b -out /output/path/to/certificate.cer
Repeat the command above for both certificate files.
Create a Full Chain
Open the command prompt and use the following command to concatenate the two certificates:
type /path/to/primary/certificate.cer /path/to/intermediate/certificate.cer > /path/to/fullchain.pem
- Create a text document and call it fullchain.pem.
- Open the contents of your Primary Root Certificate in a text editor.
- Copy and paste the contents of the Primary Root Certificate into fullchain.pem document.
- Close your Primary Root Certificate and open the Intermediate Certificate in the text editor.
- Copy and paste the contents of the Intermediate Certificate into fullchain.pem right under "-----END CERTIFICATE-----" from the Primary Root Certificate. Save the contents of the fullchain.pem file.
Your content should look like:
PRIMARY CERTIFICATE CONTENT
INTERMEDIATE CERTIFICATE CONTENT
To verify that you have a full chain open the certificate (fullchain.pem) in Windows Certificate Manager. Under the Certification Path you should see your full chain:
Configure the SSL Certificate on the FileCatalyst Server
Once you have your Certificate (.pem file), Private Key (.pvk or .key) and PEM Container password you can use the FileCatalyst Remote Admin UI to install them on the FileCatalyst Server:
Alternatively, you can modify the Server configuration file directly. This method is not recommended while the FileCatalyst Server service is running. Please shut down the FileCatalyst Server service and close all open Remote Admin applications before you proceed.
Locate your fcconf.conf file which is inside the installation path of your FileCatalyst Server.
You can modify the parameters listed below:
## SSL settings
FCServer.server.config.private.key.pass=<Insert Your PEM Container Password>
FCServer.server.config.private.key=C:/Program Files/FileCatalyst Server/SSL Cert/star_filecatalyst_com.key
FCServer.server.config.certificate.file=C:/Program Files/FileCatalyst Server/SSL Cert/fullchain.pem