Sitemap

2) Certificates

See why customers choose Pleasant Password Server with a KeePass client

A Certificate is, simply put, a form of identification that software uses to identify it as trustworthy when it interacts with other software. They are one of the foundations of authentication and security for software and websites.

This trust is established by a well-known Certificate Authority, who provides a Certificate after verifying that the software in question has not been tampered with by a 3rd party. Usually Certificate Authorities charge a fee in exchange for this service.

Have Questions?  Contact Us!

Sections:

  1. Temporary Self-Signed Certificate
  2. Replace a Certificate
  3. Import a Certificate
  4. Use PowerShell Commands to Change Certificates
  5. Distribute the Certificate to Other Machines

 

Related:

Temporary Self-Signed Certificate

Pleasant Password Server comes with a default, Self-Signed Certificate. This means, that the Certificate Authority verifying the software, is the developer of the software (Pleasant Solutions).

Browser Security Warnings

Using this Temporary Certificate will still generate warnings in your browser, even if it is properly installed into the Trusted Root Certificate Store. This is due to the browser security policies.

  • These browser warnings will be displayed until a proper certificate is added: the name of the Certificate does not match the domain, which is displayed in the full URL address in the address bar.

To resolve these errors, see the details below.

   Chrome Browser:
Chrome Certificate Error

   Firefox Browser:Firefox Certificate Error

   Edge Browser:

Edge Certificate Error Picture

   Internet Explorer Browser:

Internet Explorer Certificate Error Picture

 

Resolving Browser Warnings

1. In this case, since we are connecting to our own computer, on a trusted internal connections, temporarily setting up the software, you can choose to Continue and prevent further error messages such as those above:

  • Chrome: Click Advanced, and, Proceed to localhost (unsafe)

2. Permanently remove these errors by either:

  • A) Following the steps below to generate a certificate or use a third-party one
  • B) Firefox: Choose to "add a permanent certificate exception" in your browser

Replace a Certificate

We recommend using a purchased Certificate from a reputable Certificate Authority. This provides an additional level of security. If making your Pleasant Password Server available in an external domain, this is the appropriate safeguard.

Temporarily, Pleasant Password Server has provided a self-signed certificate to use as a placeholder by default, with a name of PasswordServer_Temporary_Placeholder_Certificate.

Replace this Temporary Certificate with one that matches your domain URL, by installing either:

  • Option A) Third-Party certificate (Recommended)
  • Option B) Self-Signed certificate

Install a Third-Party Certificate

Install a Self-Signed Certificate

  • Steps to Create & Install a new Self-Signed Certificate:
    1. For internal use, this may provide adequate security within your organization.
    2. Use an existing organization certificate, or, create one by follow this very good, detailed guide.
    3. Then, Upload the Certificate with the Service Config Utility or using the PowerShell commands (section below)
    4. (Optionally) Distribute the certificate to other machines

Security Considerations:

  • Self-Signed Certificates, are generally considered a less secure option than Third Party Certificates. It is been recommended that these could be more susceptible to man-in-the-middle attacks and so you may not feel that they are as ideal for your servers used in a production environment or connected to the internet.

Import a Certificate

To change the Certificate that Password Server uses, run the Pleasant Service Configuration Utility that was packaged and installed with the server.

Follow these steps:

  1. Start the Service Configuration Utility.
    • Programs -> Pleasant Password Server -> Service Configuration
  2. Click Certificate Configuration -> Click Import Certificate
  3. Browse for and select the Certificate file (must be a *.pfx or *.p12 private key certificate file):
    • If necessary, convert the Certificate to *.pfx, or *.p12 format, by either:
      • Using mmc run command, first import the certificate, then export into the pfx format
      • Using OpenSSL commands
  4. Enter the password for your certificate.
  5. Restart the Password Server service (click here for instructions).
  6. Point your browser at the server.

The Certificate used can be reverted back to the default placeholder certificate at any time by clicking the Clear button within the Certificate Configuration section of the Service Configuration Utility.

This setting will persist through future updates of Pleasant Password Server.

Certificate Import for Legacy Versions

(For versions 4.1.1 and earlier)

To avoid the certificate error page on an intranet, you must configure Pleasant Password Server to use a certificate name that matches your computer name.

  1. Stop the Pleasant Password Server service.
  1. Find the name of your computer.
    • Open the System control panel.
    • Right-click on My Computer and select Properties... or press Windows+Pause.
    • Look for the Computer name, domain, and workgroup settings.
  2. Open and modify the Pleasant Password Server configuration file.
    • By default, it will be in C:Program Files (x86)Pleasant SolutionsPleasant Password ServerPassMan.WindowsService.exe.config
      • NOTE: To edit and save the file, you may need to run your text editor (such as Notepad) with administrative privileges; right-click the program file and click Run as adminstrator.
    • Find the following section and change PasswordServer_Temporary_Placeholder_Certificate to your computer name.

<serviceCertificate findValue="PasswordServer_Temporary_Placeholder_Certificate"
    x509FindType="FindBySubjectName" storeLocation="LocalMachine" storeName="Root" />

  1. Save and close the config file.
  2. Restart the Pleasant Password Server service.

Now, to get back to the Pleasant Password Server admin page securely, use https://<hostname>:10001

Use PowerShell Commands to Change Certificates

Here is some PowerShell commands that can be used to change certificates when you are renewing a certificate or adding a certificate for the first time. The certificate name and location will also be set in the registry. Change the values in the scripts, such as certificate name, user name, password.

  • PowerShell commands:

# Stop service
Stop-Service "Pleasant Password Server"

# Restart service
Restart-Service "Pleasant Password Server"

# List your Certificates; Also checks if the certificate path is accessible
Get-ChildItem Cert:\LocalMachine\My

# Check if registry points at correct certificate
Get-ItemProperty "HKLM:\Software\Pleasant Solutions\PasswordManager"

# Delete previous certificate, in case it's a renewal
Get-ChildItem Cert:\LocalMachine\My | Where-Object {$_.Subject -Like "CN=PasswordServer-Production-Certificate*" } | Remove-Item

# Import new certificate
Import-PfxCertificate -FilePath New-Certificate.pfx -CertStoreLocation Cert:\LocalMachine\My -Password (Get-Credential -UserName "PFX" -Message "PFX Password").Password

# Update registry to point at correct certificate, if needed
Set-ItemProperty "HKLM:\Software\Pleasant Solutions\PasswordManager" -Name CertificateName -Value "PasswordServer-Production-Certificate"
Set-ItemProperty "HKLM:\Software\Pleasant Solutions\PasswordManager" -Name ThumbPrint -Value "63DF81FF0024F999D2A5B077F6152480E6C31F0"

Here is a list of the certificate registry keys:

  • Certificate Registry Settings:

[HKEY_LOCAL_MACHINE\Software\Pleasant Solutions\PasswordManager]
"CertificateName"="PasswordServer_Temporary_Placeholder_Certificate"
"StoreName"="My"
"StoreLocation"="LocalMachine"

Automate Certificate Changes

When using a free site certificate service, you may wish to automate the changing of the certificates which would include the following items in your script:

  1. Get the new certificate
  2. Stop the service (IISExpress) or website (IIS)
  3. Remove the old certificate from the Certificate Store
  4. Put the new certificate into the Certificate Store
  5. Start the service / site again

Distribute the Certificate to Other Machines

The last optional step is to install the certificate on other networked computer workstations. This can be done by exporting the certificate from the server computer and importing it on other computers.

Some customers may wish to further automate the distribution using scripts or using their directory's Group Policy.

Here are the simple steps.

  1. Open the Microsoft Management Console (MMC).
    • Type mmc.exe in the Start menu search box or open a Run... dialog, type mmc.exe and click OK.
  2. Click File -> Add/Remove Snap-in...
  3. Add the Certificates snap-in.
    • (Windows Vista/7) Click Certificates from the left pane and click Add.
    • (Other Windows versions) Click Add... then select Certificates and click Add.
  4. Select Computer Account and click Next.
  5. Select Local Computer and click Finish.
  6. Exit the open dialog(s).

In the list of folders on the left, the top folder should be Personal followed by Trusted Root Certification Authorities.

These folders represent the various certificate stores for the local computer.

  1. Open Trusted Root Certificate Authorities -> Certificates.
  2. Locate the certificate with your computer name.
  3. Right-click on the certificate and select All Tasks -> Export...
  4. Follow the Certificate Export Wizard to save the certificate file.
    • Select: No, do not export the private key
    • Select: Base-64 encoded X.509 (.cer)
  5. Specify a location and file name for the certificate.

Securely transport the certificate to your other workstation so that it can be imported. Use the MMC Certificate snap-in as above.

  1. Right-click on Trusted Root Certification Authorities and select All Tasks -> Import...
  2. Select your certificate file.
  3. Complete the Certificate Import Wizard.