To bind a certificate follow the instructions below:
- Export a private key using Key Store Explorer.
Run the following command in CMD as Administrator:
Launch the keyStore Explorer application as an Administrator. Code Block
- Open the keystore file used for the IDERA Dashboard. When prompted for a password, enter password, and click OK.
- Right-click on the keypair and select Export> Export Private Key.
- On the Export Private Key Type window, select OpenSSL, and click OK.
- On the Export Private Key as OpenSSL from Keystore Entry window, deselect the Encript option, update the Export File if needed, and click OK.
Steps 6 - 9 can be performed on a different computer. These steps are related to the OpenSSL tool, which is not required to be intalled on the server hosting the IDERA products.
- Install OpenSSL.
You can find a few options available to obtain the software at https://wiki.openssl.org/index.php/Binaries.
- Once you complete the installation of OpenSSl, run the Command Promt as Administrator.
Change the directory to the bin folder within the installation directory of OpenSSL. Enter the following command:
cd "C:\Program Files\OpenSSL-Win64\bin"
Use the following command as an example to generate the PFX key using the private key and certificate that was previously created.
openssl pkcs12 -export -out <output_certificate_name><file path to the new personal information exchange file>.pfx -inkey <key_name><file path path to private key>.key -in <certificte_name><file path to certificate>.cer
You need the private key generated in the previous step and the CER certificate created in Resolving the certificate error message.Import the generated PFX certificate in the Personal folder under the Certificate store
Execute the command, and when prompted for a password, enter password for both the export password and the verification password. You will be able to see the newly created PFX key.
The following steps must be perfomed on the server hosting the IDERA Dashboard and the IDERA SQL Inventory Manager.
- Open the Microsoft Management Console (MMC) and load the Certificates snap-in.
a. Select Run from the Start menu, enter mmc, and click OK.
b. On the MMC window, from the File menu, select Add/Remove Snap-in. The Add or Remove Snap-in windows displays.
c. From the Available snap-ins list, choose Certificates, then select Add.
d. In the Certificate snap-in window, select Computer Account, and click Next.
e. In the Select Computer window, leave Local computer selected, and click Finish.
f. In the Add or Remove Snap-in window, select Ok.
- Expand Certificates and locate the Personal folder.
- Right-click on the Personal folder and select All Tasks> Import.
- Use the Certificate Import Wizard to import the PFX file that was previously created.
Retrieve the thumbprint of thePFX certificate, for information on how to do this refer to Retrieving a Thumbprint.
Remove any existing bindings from Inventory Manager 2.6 REST service SSL port 9276, run the following command in CMD as Administratorimported PFX key.
a. Double-click on the imported PFX key.
b. On the Certificate window, go to the Details tab.
c. Scroll through the list of fields and click Thumbprint.
d. Copy the hexadecimal characters from the box. If this thumbprint is used in code for the
x509FindType, remove the spaces between the hexadecimal numbers.
Follow the steps to find GUID for the IDERA SQL Inventory Manager software here https://4sysops.com/archives/find-the-product-guid-of-installed-software-with-powershell/.
Run the Command Promt as an Administrator and delete existing bindings to the IDEA SQL Inventory Manager Rest Service port 9276, executing the following command:
netsh http delete ssl 0.0.0.0:9276
Add a new binding for Inventory Manager 2.6 running the following command in CMD as Adminstrator:Run the Command Promt as an Administrator and bind the new PFX key by using the commands below.
netsh http add sslcertssl ipport=0.0.0.0:9276 certhash=<certificate<thumbprint hash> of the PFX key (with spaces removed)> appid=<random GUID> clientcertnegotiation=enable
You may create a BAT file to run on startup of Windows, and make sure the certificate is applied when the server starts up, if the service is restarted. The content of the BAT file is the following:
NET START SQLInventoryManagerRestService
TIMEOUT /T 10
netsh http sslcert ipport=0.0.0.0:9276
certhash=<thumbprint of the PFX key (with spaces removed)>
Configure the service to have a Manual start up so the BAT file will start the service.
To add a certificate to the Trusted Root Certification Authorities store in Windows, refer to Manage Trusted Root Certificates.