PEM Certificate Conversion and Setup Guide for on-prem deployments

Introduction

This guide provides instructions for implementing secure browsing to GYTPOL portal using an enterprise-signed and trusted certificate that has already been created and exported along with its private key. By following this guide, you will ensure secure, encrypted communication between your users and GYTPOL portal, enhancing the overall security posture of your organization.

Prerequisites

  1. Exported Certificate in PFX format: The certificate file (e.g., yourpfxfile.pfx) containing the public key, private key, and intermediate certificates.

  2. PFX Certificate Password: Ensure you have the password required for creating the PEM files from the exported certificate.

  3. Copy the ‘yourpfxfile.pfx’ file to your GYTPOL server.

If you have a certificate in .cer format, please see these steps first.

Workflow

To generate a PEM certificate, utilize third-party software or install OpenSSL (freely available) and convert your PFX certificate to PEM format.

If employing OpenSSL, follow these steps:

Creating the correct certificate format (Using OpenSSL):

  1. Launch a Command Prompt as Administrator and navigate to the directory where OpenSSL is installed, for example, c:\program files\OpenSSL-Win64\bin\

  2. Execute the command below to extract the private key and save it to a new file:

openssl pkcs12 -in yourpfxfile.pfx -nocerts -out client-key.pem -nodes

(You'll be prompted for the PFX password, if applicable)

If there's a PEM Password/Phrase, follow these steps instead of the previous one:

Extract the private key to a temporary file:

openssl pkcs12 -in yourpfxfile.pfx -nocerts -out client-key-temp.pem

(You'll be prompted for both the PFX password and the PEM password)

Convert the temporary private key file to the desired format:

openssl rsa -in client-key-temp.pem -out client-key.pem

(You'll be asked for the PFX password if there is one)

If there's now PEM Password/Phrase, continue here:

  1. Now, to extract the public certificate and save it to a new file, run the following command:

(You'll be prompted for the PFX password if there is one)

To make changes within the server, follow these steps:

  1. Backup Original Files: Before making any changes, it's important to backup the original client-key.pem and client-cert.pem files located in gytpolInstallDrive:\gytpol\data\websrv.

  2. Replace Files: Copy the files created in the first step (client-key.pem and client-cert.pem) to the following location on the GYTPOL server: gytpolInstallDrive:\gytpol\data\websrv.
    Ensure to replace the existing files with the new ones (after you backed them up).

  3. Restart Service: Restart the "gytpol WebUI Service".

  4. Access Console: After the service restarts, access the console again using the Fully Qualified Domain Name (FQDN) of the server or the NetBIOS name, depending on the certificate you generated.

If You have a .cer Certificate, follow these steps to convert it to a .pfx format

Steps to Convert .cer to .pfx using OpenSSL:

  1. Prepare the Required Files:

    • Certificate: You should have a .cer or .crt file (e.g., certificate.cer).

    • Private Key: You need the corresponding private key file (e.g., private.key).

  2. Convert the Certificate and Key to .pfx:

    • Launch a Command Prompt as Administrator and navigate to the directory where OpenSSL is installed, for example, c:\program files\OpenSSL-Win64\bin\

    • Run the following command:

      Explanation:

      • -export: Creates a .pfx file.

      • -out certificate.pfx: Specifies the output file.

      • -inkey private.key: Specifies the private key file.

      • -in certificate.cer: Specifies the certificate file.

  3. Set a Password:

    • The command will prompt you to set a password for the .pfx file. This password is required when importing the .pfx file later.

  4. Verify the .pfx File:

    • Once created, you can verify the contents of the .pfx file using the following command:

    • Enter the password when prompted, and you should see details of the certificate and private key.

After successfully converting .cer to .pfx, you can proceed with the steps outlined in the first part of this guide.

Troubleshooting

In case the webUI service fails to start, follow these troubleshooting steps:

  1. Rollback Original Files: Replace the modified client-key.pem and client-cert.pem files with the original ones you backed up.

  2. Start WebUI Service: Attempt to start the "gytpol WebUI Service" again.

  3. Check Event Viewer: Open the Event Viewer and check for any errors or logs related to the webUI service. Look for details that might indicate the cause of the startup failure. Ensure that all the steps mentioned earlier were followed correctly.

  4. Contact Support: If you're unable to resolve the issue or need further assistance, please reach out to support@gytpol.com for additional help.