Knowledgebase:
SSL Certificate Installation on FileCatalyst Server using PKCS#7 Certificate
Posted by Aly Essa, Last modified by Aly Essa on 20 April 2018 02:44 PM

Overview

When buying a certificate from a certificate vendor, you will receive or download your certificate in one of several file formats depending on who you purchased it from and the purpose you requested it for.  This guide will cover the installation of your Certificate on the Filecatalyst Server using a PKCS#7 Certificate (.cer or .pem or .p7b) and a Private Key (.pvk or .key)

PKCS#7 Certificate:
The PKCS#7 or .P7B format is usually stored in Base64 ASCII format and the certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements. A P7B file only contains certificates and chain certificates, not the private key. This file may not contain an intermediate certificate. 

Intermediate Certificate:
Intermediate Certificates are used as a stand-in for the Certificate Authorities Root Certificate. Intermediate Certificates are used as a proxy because Root Certificate from the Certificate Authority must be kept behind numerous layers of security, ensuring its keys are absolutely inaccessible.

However, because the Root Certificate itself signed the Intermediate Certificate, the Intermediate Certificate can be used to sign the SSL Certificate and maintain the Chain of Trust.

The Root Certificate is also known as a Trust Anchor. It is self-signed and has been issued by a Trusted Authority such as Verisign, Thawte, GoDaddy, etc. It is already installed on your server and also on the remote computers running the client software accessing your server.

FileCatalyst Server Requirements 
There are three pieces that are required to install an SSL Certificate on the FileCatalyst Server:

  • Certificate in a PKCS#7 format with a .pem or .crt or .cer extension.
  • Private Key file with a .key or .pvk extension.
  • Private Key password to open the Private Key file and Certificate. The password must be 6-8 characters.

Environment

FileCatalyst Server v3.5 and later.

Resolution

Note:  This guide assumes that you will be using a Windows OS to perform the steps in the resolution.

Install OpenSSL:

  1. Download the OpenSSL installer from one of the mirrors located at https://wiki.openssl.org/index.php/Binaries. The example install directory referenced in this article is C:\OpenSSL\.

  2. Follow the installation wizard to complete the rest of the installation.

  3. Make sure that C:\OpenSSL\bin\ has been added to your Windows Environment PATH Variable. This will make the OpenSSL command accessible from the Command Prompt.

Convert P7B to PEM

Use the following command to convert your Intermediate and Root Certificates from a .p7b extension to .pem:


openssl pkcs7 -print_certs -in /path/to/certificate.p7b -out /output/path/to/certificate.cer

Repeat the command above for both certificate files.


Create a Full Chain

Open the command prompt and use the following command to concatenate the two certificates:

type /path/to/primary/certificate.cer /path/to/intermediate/certificate.cer > /path/to/fullchain.pem

Alternative method:

  • Create a text document and call it fullchain.pem.
  • Open the contents of your Primary Root Certificate in a text editor.
  • Copy and paste the contents of the Primary Root Certificate into fullchain.pem document. 
  • Close your Primary Root Certificate and open the Intermediate Certificate in the text editor.
  • Copy and paste the contents of the Intermediate Certificate into fullchain.pem right under "-----END CERTIFICATE-----" from the Primary Root Certificate. Save the contents of the fullchain.pem file.

    Your content should look like:

    -----BEGIN CERTIFICATE-----
    MIIE0DCCA7igAwIBAgIRAPJnVatNV3AtJt7t2XkPv7swDQYJKoZIhvcNAQELBQAw

    PRIMARY CERTIFICATE CONTENT

    3rQ+h/3e/4qgEG73AcUK+f2udZ8gmyB/4hITBCWLG9259XMp
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIF5jCCA86gAwIBAgIQEQDFvydYwZlp/Gjtcp381zANBgkqhkiG9w0BAQwFADCB

    INTERMEDIATE CERTIFICATE CONTENT

    AeY5kXGfjIimFcd00xvjkVn41em3We1sghs=
    -----END CERTIFICATE-----

To verify that you have a full chain open the certificate (fullchain.pem) in Windows Certificate Manager. Under the Certification Path you should see your full chain:





Configure the SSL Certificate on the FileCatalyst Server

Once you have your Certificate (.pem file), Private Key (.pvk or .key) and PEM Container password you can use the FileCatalyst Remote Admin UI to install them on the FileCatalyst Server:
Alternatively, you can modify the Server configuration file directly. This method is not recommended while the FileCatalyst Server service is running. Please shut down the FileCatalyst Server service and close all open Remote Admin applications before you proceed.

Locate your fcconf.conf file which is inside the installation path of your FileCatalyst Server.

You can modify the parameters listed below:

## SSL settings
FCServer.server.config.private.key.pass=<Insert Your PEM Container Password>
FCServer.server.config.enable.aes=true
FCServer.server.config.enable.security=true
FCServer.server.config.private.key=C:/Program Files/FileCatalyst Server/SSL Cert/star_filecatalyst_com.key
FCServer.server.config.bit.size=2048
FCServer.server.config.certificate.file=C:/Program Files/FileCatalyst Server/SSL Cert/fullchain.pem