Sitemap

Setting up a Self-Signed Certificate

When connecting KeePass to a new server, you may receive a warning message that a valid certificate has not been set up yet. By following these steps below, you can configure a trusted connection to your server using Self-Signed certificates.

 

Background information: When hosting software, a valid certificate enables encrypted connections to browsers and other software clients.

  • We recommend using a purchased 3rd-party certificate from a Trusted Certificate Authority, however for testing and internal usage you can follow these technical steps to create your own Self-Signed Certificate. 

Other alternatives:

  • Purchase a 3rd-party certificate from a Trusted Certificate Authority
  • Creating a certificate using IIS (requires IIS Hosting)
  • Use a Certificate Authority like Let's Encrypt, which provides free certificates.

Related topic:

 

A common error, when not having a valid certificate, is this:

ssl policy error popup

How to mitigate this error message

Overview Server Machine:

  1. Use PowerShell to create a Self-Signed Certificate and a Certificate Authority (CA)
  2. Export the CA and Self-Signed Certificate
  3. Import the Self-Signed Certificate using the "Service Configuration" utility
  4. Restart the Pleasant Password Service 

Overview Client Machine:

  1. Export the Trusted Root CA 
  2. Import the Trusted Root CA on the client machines

Use PowerShell to Create a Self-Signed Certificate with a Certificate Authority (CA)

The following PowerShell commands and instructions will create a Root Certificate and a Self-Signed Certificate, both valid for 10 years, and will place them in the Certificate Store on the local machine.

Run the Command Prompt by typing "cmd" in the Windows search bar and right click and choose "Run as administrator."

In the command prompt window type "powershell" and hit enter to run PowerShell.

cmd powershell

Using Powershell create a CA by running the following command (or copy paste the following script and hit enter):

$rootCA = New-SelfSignedCertificate -Subject "CN=MyRootCA,O=MyRootCA,OU=MyRootCA" `
-KeyExportPolicy Exportable `
-KeyUsage CertSign,CRLSign,DigitalSignature `
-KeyLength 2048 `
-KeyUsageProperty All `
-KeyAlgorithm 'RSA' `
-HashAlgorithm 'SHA256' `
-NotAfter (Get-Date).AddYears(10)

Note: in this case we are choosing a generic CA name ("MyRootCA"), but you can use more detailed options if you wish.

cmd create a CA

Again using PowerShell create a Self-Signed Certificate by running the following command, replacing "[mycert]" (mentioned twice) with the cert name of your choice, e.g. "CN=ppass.domain.com":

New-SelfSignedCertificate -Subject "CN=[mycert]" `
-Signer $rootCA `
-KeyLength 2048 `
-KeyExportPolicy Exportable `
-DnsName [mycert] `
-KeyAlgorithm 'RSA' `
-HashAlgorithm 'SHA256' `
-NotAfter (Get-Date).AddYears(10)

cmd create self signed certificate

 

Export the CA and Self-Signed Certificate

Run the certificate manager as administrator by entering certlm.msc in the windows search bar and choosing "Run as administrator."

run certificate manager

Expand both the "Personal" and "Trusted Root Certification" directories. In the Personal Certificates folder, you will find both the CA and the Self-Signed Certificate that we created in the previous steps.

Drag and drop the CA file "MyRootCA" from the "Personal Certificates" directory into the Trusted Root Certification Certificate directory.

certificate manager move CA

Next we will right-click the Self-Signed Certificate file "mycert" and choose All Tasks > Export

export self signed certificate

Click Next then select "Yes, export the private key"

  • Select "Personal Information Exchange - PKCS #12 (.PFX)
    • Ensure both "Include all certificates in the certification path if possible" and
    • "Enable certificate privacy" are both checked before clicking Next once again.

export certificate wizard

Then enter a password to protect your certificate and set the encryption to AES256-SHA256 and click next.

export certificate password

Then give the exported certificate a meaningful name. Click Next. 

Then we will be at the final review page and click Finish.

export certificate finish

Import the Self-Signed Certificate

Next we will run the Pleasant Password Server Service Configuration utility by typing "Service" in the windows search bar.

run service configuration utility

Once the Service Configuration utility opens click the "Certificate Configuration" button, then click "Import Certificate." You will be able to find the recently created self-signed certificate that we just exported in the C:\Windows\System32 directory then select the file.

Restart the Pleasant Password Service

In the windows search bar type "Services" to run the windows services utility. Find the Pleasant Password Server service and click Restart.

 windows services

Congratulations! You now have a trusted certificate!

 

Export the Trusted Root CA 

Return back to the Certificate store and export the Trusted Root CA we created earlier and moved to the "Trusted Root Certification" Certificate directoryexport root CA

Click Next then select "No, do not export the private key"

  • Select "Base-64 encoded X.509 (CER)" and click Next

export cert to cer file

Give the exported file a name (could give it the same name to keep it simple) click Next and then review the details and click Finish.

export root CA finish

Import the Trusted Root CA on the client machines

This step will need to be repeated on every client machine that connects to the server.

You will be able to find the recently created Trusted Root CA file that we just exported in the C:\Windows\System32 directory then select the file.

Copy the file we just exported to the client machine. Then Right click the certificate file and select "Install Certificate"

install certificate

Then run choose Local machine

import cer file

Select the "Place all certificates in the following store" radio button and click Browse...

And select the "Trusted Root Certification Authorities" and click next.

import trusted root CA

Review the action and click Finish.

Congratulations! Now your client machine will trust your self signed certificate!

Installing on Windows 7 Client Machine

The only major difference with Windows 7 is how we access the certificate store.

Click Start -> Run -> Enter 'MMC' and click 'OK'

install root CA

Click File > Add/Remove Snap-In

install root CA2

Locate "Certificates" on the left and click "Add"

install root CA 3

 

Select "Computer Account" radio button and click next.

install root CA 4

Ensure the "Local Computer" radio button is selected and click Finish

install root CA 5

Then select Ok which will open the Console1 window. Right Click the "Trusted Root Certification Authorities" and choose All Tasks > Import.

Install root CA 7

From here the instructions are the same as for Windows 10.

 

Problems?

The issue of trusted certificates is a simple concept but configuring it correctly can be quite complex. In the event of an unexpected problem please:

  • Double-Check Service startup

  • Email Support with your special configuration steps and a description of the problem you are seeing.