Help Menu

Custom SSL Certificate

PA Server Monitor can use your own SSL certificate instead of the default self-signed certificate.

If at any time there are any problems with certificates, you can always delete the C:\Program Files\PA Server Monitor\CA folder and restart the service -- a new self-signed certificate will be created.

Note that although the commands are shown on multiple lines, this is simply because there isn't space to show the full command one on line. But the text in the command boxes below should be run as a single command.

Use your own existing certificate

  1. You will need to get your certificate into PEM format if it isn't already. There are a number of utilities that can do this that you can find on the Internet. Try searching for something like 'convert {your cert type} to PEM'. Note that .pem, .crt, .cer, and .key are often used interchangably. If you look at the file with a text editor and see readable text, you have a .pem file.

    For example, to convert a .PFX file using OpenSSL (which is in the C:\Program Files\PA Server Monitor folder) run the following:

    Tell OpenSSL where to find its configuration file (do NOT use quotes, even if there are spaces in the path):
    set OPENSSL_CONF=C:\Program Files\PA Server Monitor\CA\openssl.cnf
    The conversion command:
    "C:\Program Files\PA Server Monitor\openssl.exe" pkcs12 -in "C:\My Files\myCert.pfx" -out "C:\My Files\myNewCert.pem"
    You will be prompted for the existing private key password, and then you'll be prompted for a new password for the output file's private key.

    Look at the resulting .pem file in a text editor -- you'll see there are two sections. Split this into two separate files, like below:

    CLIENT_PRIVATE.pem file contents:
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIIFDjBABgkfhkiG9w0BBQgwMzAbBgkqh1iG9w0BBQwwDgQIvSKYYbDSkPICAggA
    ... many more lines like those above ...
    4pvqu3DGh93oIV7YlC1Gn4BY/2jVd2F1NxRjIxvDsllhDvvFFMUWC41Xc5pZ6d9U
    pyY=
    -----END ENCRYPTED PRIVATE KEY-----

    SIGNED_CLIENT_CERT.pem file contents:
    -----BEGIN CERTIFICATE-----
    MIIFPzCCBCFgAwIBAgIS3SGXUxVkgYN9r5PZvhFNF148MA0GCSqGSIb3DQ5BBQUA
    ... many more lines like those above ...
    ITywFF+LW4hdG5TYw2smJmbBgkfbW7nusufXAzg7I0E5z2HyxRmLm+Eees4J00mo
    f6jn
    -----END CERTIFICATE-----
    You don't need the other lines that are in the file.
  2. Save the certificate's private key file to
    C:\Program Files\PA Server Monitor\CA\CLIENT_PRIVATE.pem
  3. Save the SSL certificate to
    C:\Program Files\PA Server Monitor\CA\SIGNED_CLIENT_CERT.pem
  4. PA Server Monitor 8.0 Ultra will need to know the password for the private key. You can specify this by running the following command:
    "C:\Program Files\PA Server Monitor\diag.exe" /SETCONFIG=SSLCertPKPW:{password}

    This will encrypt and store the password with a machine-specific key in the registry. To erase the password, run:
    "C:\Program Files\PA Server Monitor\diag.exe" /SETCONFIG=SSLCertPKPW:
  5. Restart the PA Server Monitor service and it will now be using your SSL certificate.

Create your own new certificate

  1. Go to the C:\Program Files\PA Server Monitor\CA folder
  2. Create a folder inside CA named NewCert.
  3. Copy Client.cnf from CA into NewCert
  4. Open NewCert\Client.cnf in a text editor. Go to the PACA_dn section near the bottom and edit the values as you like (C=Country, ST=State/Province, L=City). Change the CN value to the hostname of your server. Some SSL certificate providers expect to see a dot in the name, so the public name of your server would best (something like monitor.mydomain.com). Note that depending on the SSL provider that you use, the subjectAltName field might be ignored which is where additional machine names are mentioned.
  5. Open a command prompt and change directory to
    C:\Program Files\PA Server Monitor\CA\NewCert
  6. Run the following to tell OpenSSL where to find your configuration file (do NOT use quotes, even if there are spaces in the path):
    set OPENSSL_CONF=C:\Program Files\PA Server Monitor\CA\NewCert\client.cnf
    Then run the following to actually create the certificate request file (DO use quotes if there are spaces in the path):
    "C:\Program Files\PA Server Monitor\openssl.exe" req -newkey rsa:2048 -keyout "C:\Program Files\PA Server Monitor\CA\NewCert\CLIENT_PRIVATE.pem" -keyform PEM -out "C:\Program Files\PA Server Monitor\CA\NewCert\CLIENT_CERT.pem" -outform PEM -rand openssl.exe
  7. This will create two new files:
    CLIENT_CERT.pem -- this is the Certificate Request file that you will send/copy to the SSL certificate vendor (like Verisign, GlobalSign, etc)
    CLIENT_PRIVATE.pem -- this is the private key file for this certificate. This file will need to remain on the server, but should be kept private.
  8. To see what you are sending to the SSL provider, run:
    "C:\Program Files\PA Server Monitor\openssl.exe" req -in "C:\Program Files\PA Server Monitor\CA\NewCert\CLIENT_CERT.pem" -noout -text
  9. After sending CLIENT_CERT.pem to an SSL provider, you will get back a certificate file. Save the file (in PEM format) to:
    C:\Program Files\PA Server Monitor\CA\SIGNED_CLIENT_CERT.pem
  10. When the above file is copied, also copy
    C:\Program Files\PA Server Monitor\CA\NewCert\CLIENT_PRIVATE.pem
    into the CA folder
  11. You can optionally delete the NewCert folder at this point.
  12. Restart the PA Server Monitor service and it will now be using your SSL certificate.


PA Server Monitor

Help Map