2) Certificates

A Certificate is, simply put, a form of identification software uses to identify it as trustworthy when it interacts with other software. They are one of the foundations of authentication and security for software and websites.

This trust is established by a well-known Certificate Authority, who provides a Certificate after verifying that the software in question has not been tampered with by a 3rd party. Usually Certificate Authorities charge a fee in exchange for this service.

Have Questions?  Contact Us!

Sections:

  1. Limitations of the Temporary Certificate
  2. Replacing your Temporary Certificate
  3. Importing your Certificate
    • Third-Party
    • Self-Signed
  4. Distributing your Certificate

Related:

Temporary Self-Signed Certificate

Pleasant Password Server comes with a default, Self-Signed Certificate. This means, that the Certicate Authority verifying the software, is the developer of the software (Pleasant Solutions).

Security Warnings

Using this Temporary Certificate will still generate warnings in your browser, even if it is properly installed into the Trusted Root Certificate Store. This is due to the browser security policies.

   Chrome Browser:                             
 

 Firefox Browser:

    Edge Browser:

   

Internet Explorer Browser:
  

 

In this case, since we are connecting to our own computer, on a trusted internal connections, temporarily setting up the software, you can choose to Continue and prevent further error messages such as those above:

Replacing Your Certificate

Eventually, consider using a purchased Certificate from a reputable Certificate Authority.

For Temporary use,

For Long-term use,

Replace this Temporary Certificate with one that matches your domain URL, by either:

 

Other considerations:

Importing a Certificate

(versions 4.1.2+)

To change the Certificate that Password Server uses, run the Pleasant Service Configuration Utility that was packaged and installed with the server.

Follow these steps:

  1. Start the Service Configuration Utility.
    • Programs -> Pleasant Password Server -> Service Configuration
  2. Click Certificate Configuration -> Click Import Certificate
  3. Browse for and select the Certificate file (must be a *.pfx or *.p12 private key certificate file):
    • If necessary, convert the Certificate to *.pfx, or *.p12 format, by either:
      • Using mmc run command, first import the certificate, then export into the pfx format
      • Using OpenSSL commands
  4. Enter the password for your certificate.
  5. Restart the Password Server service (click here for instructions).
  6. Point your browser at the server.

 

The Certificate used can be reverted back to the default placeholder certificate at any time by clicking the Clear button within the Certificate Configuration section of the Service Configuration Utility.

This setting will persist through future updates of Pleasant Password Server.

For Legacy Versions

(versions 4.1.1 and earlier)

To avoid the certificate error page on an intranet, you must configure Pleasant Password Server to use a certificate name that matches your computer name.

  1. Stop the Pleasant Password Server service.
  1. Find the name of your computer.
    • Open the System control panel.
    • Right-click on My Computer and select Properties... or press Windows+Pause.
    • Look for the Computer name, domain, and workgroup settings.
  2. Open and modify the Pleasant Password Server configuration file.
    • By default, it will be in C:Program Files (x86)Pleasant SolutionsPleasant Password ServerPassMan.WindowsService.exe.config
      • NOTE: To edit and save the file, you may need to run your text editor (such as Notepad) with administrative privileges; right-click the program file and click Run as adminstrator.
    • Find the following section and change PasswordServer_Temporary_Placeholder_Certificate to your computer name.

<serviceCertificate findValue="PasswordServer_Temporary_Placeholder_Certificate"
    x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="Root" />

  1. Save and close the config file.
  2. Restart the Pleasant Password Server service.

 

Now, to get back to the Pleasant Password Server admin page securely, use https://<hostname>:10001

Installing Your Certificate on Other Machines

The last optional step is to install the certificate on other networked computer workstations. This can be done by exporting the certificate from the server computer and importing it on other computers.

Some customers may wish to further automate the distribution using scripts or using their directory's Group Policy.

Here are the simple steps.

  1. Open the Microsoft Management Console (MMC).
    • Type mmc.exe in the Start menu search box or open a Run... dialog, type mmc.exe and click OK.
  2. Click File -> Add/Remove Snap-in...
  3. Add the Certificates snap-in.
    • (Windows Vista/7) Click Certificates from the left pane and click Add.
    • (Other Windows versions) Click Add... then select Certificates and click Add.
  4. Select Computer Account and click Next.
  5. Select Local Computer and click Finish.
  6. Exit the open dialog(s).

 

In the list of folders on the left, the top folder should be Personal followed by Trusted Root Certification Authorities.

These folders represent the various certificate stores for the local computer.

  1. Open Trusted Root Certificate Authorities -> Certificates.
  2. Locate the certificate with your computer name.
  3. Right-click on the certificate and select All Tasks -> Export...
  4. Follow the Certificate Export Wizard to save the certificate file.
    • Select: No, do not export the private key
    • Select: Base-64 encoded X.509 (.cer)
  5. Specify a location and file name for the certificate.

 

Securely transport the certificate to your other workstation so that it can be imported. Use the MMC Certificate snap-in as above.

  1. Right-click on Trusted Root Certification Authorities and select All Tasks -> Import...
  2. Select your certificate file.
  3. Complete the Certificate Import Wizard.