Hi Gary,

I am new with working with Linux and keytools. I went through and removed any certs I added over the last few days and the self-signed is still showing up.

Any other ideas? Is it some configuration file I need to change somewhere else?

Thanks,

Mitch

If it it still showing up when you list the certificates in your Java keystore then you have not deleted it.

There are several keystore locations - did you check that the self signed cert does not exist in any of them?

I deleted them from Java/jre/lib/security in cacerts and jssecacerts. Where else are keystores located. Thanks! BTW, so far your answers are better than PTC support.

OK - those are common ones, did you perhaps create a keystore to put the self signed certificate in?

But - I guess the question is, how do you know that the self signed certificate is still in the Java keystore after you deleted it?

Here is a page outlining commands for managing your keystore: The Most Common Java Keytool Keystore Commands

So I found the self-signed certificate here: /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.crt] which I verified by running this command openssl x509 -noout -text -in server.crt.

I converted the file from security this way: openssl x509 -inform DER -in ams_ssl.cer -out ams_ssl.pem

How do I replace the self-signed with this one? What about the server.key? apchectl will not start if I rename ams_ssl.pem to server.crt which is in httpd-ssl.conf. Therefore if I replace this line:

SSLCertificateFile /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.crt/server.crt with the my certificate and comment out SSLCertificateKeyFile /opt/ptc/Windchill_10.2/HTTPServer/conf/extra/ssl.key/server.key.

I found that did not work either. Am I even in the ballpark now?

I presumed that you had already put the new Pukka Apache certificate and key files into place on your Windchill Apache server...

If you are asking how to create and put a pukka certificate and key file into place on your Apache server, you need to do something like this (this is what I use for Windows machines, Linux will be similar):

Create the CSR and KEY files - the CSR is used to create the .CRT file by your certification authority:

C:\ptc\HTTPServer\bin\openssl.exe req -config C:\ptc\HTTPServer\conf\openssl.cnf -new -newkey rsa:2048 -nodes -keyout C:\Temp\server.key -out C:\Temp\server.csr

Enter the information specific to your server. Don't enter a password in the step above to save the step of removing it later from the key.

Generate certificate on the CA website using the data from the CSR file and move the server.crt file and the ca-bundle.crt file (if necessary) to the Apache Server folders conf/extra/ssl.crt and put the server.key file in the conf/extra/ssl.key folder

You may need to uncomment the ca-bundle line in httpd-ssl.conf if your CA authority requires you to use a ca-bundle.crt file:

SSLCACertificateFile C:/ptc/HTTPServer/conf/extra/ssl.crt/ca-bundle.crt

You do that in the way that I described in my last response to you.

You may not need to do the CSR step if you already have the .csr and .key files, but Public Key encryption requires you to have both the .key and .crt files on your apache server - they are a matched pair. The .key file is private to your server and the .crt file is what gets presented to your clients as the public key for your server.

If your CA requires you to do so, then you may also need to add their ca-bundle.crt file into your apache loadpoint's ssl.crt folder along with the server.crt file.

You must hence put both the .key and the matching .crt files into place in the directories I outlined previously and then restart Apache, it is nothing to do with the httpd-ssl.conf (unless you need to uncomment the ca-bundle.crt line)

The process to create the .csr file should also create the .key file (as per my previous instructions) - you need this .key file to go with the .crt file your security dept have returned to you.

Hi Gary,

I understand that and did that. "

openssl req -new -key jgplink.wmata.local.com.key -out jgplink.wmata.local.com.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----"

Mitch

if you have put the server.key file into the conf/extra/ssl.key folder and the server.crt file into conf/extra/ssl.crt (and the ca-bundle.crt file if needed) then you should be done.

Restart Apache - if it does not work, check your apache error log for reasons why.

Yes that part works fine. This is all part of the self-signed portion. I am trying to replace the self-signed certificate with the one my security department gave me to use.