Skip to main content

Error: Separate web server won't get a connection

Tobias Nessel
Updated

Requirement

A separate web server (not running on the application server) should be used.

Prerequisites

  • Basic know-how about certificates
  • Administrator/Root privileges on the web server

Procedure

Export the public key of your Password Secure application server certificate.

Run certlm.msc (Computer Certificate Management Console), select the correct certificate and choose All Tasks → Export.

 

 

Do not export the private key, as it is not necessary and would be a security risk!

 

 

Select Base-64 encoded binary format

 

Save it and transfer it to your web server.

 

Using PowerShell

The certificate can also be exported using PowerShell.

Change highlighted values first!

# list all relevant certificates
# copy the thumbprint of the certificate you want to export 
Get-ChildItem Cert:\LocalMachine\My\ | Where -Property Subject -notlike 'CN=psrKey*' | Sort-Object FriendlyName | Format-Table -AutoSize -Property FriendlyName, Thumbprint, Subject,NotBefore, NotAfter

# export the selected certificates public key
$cert = Get-ChildItem Cert:\LocalMachine\My | where Thumbprint -eq 'EA0B3[...]95C50'

$base64certificate = @"
-----BEGIN CERTIFICATE-----
$([Convert]::ToBase64String($cert.Export('Cert'), [System.Base64FormattingOptions]::InsertLineBreaks))
-----END CERTIFICATE-----
"@

Set-Content -Path 'C:\temp\nps_ca_or_self-signed_public-key.cer' -Value $base64certificate

Transfer the file to your web server.

Windows web server

Install the certificate to Local Machine → Trusted Root Certification Authorities

 

 

 

 

A restart of your IIS web server might be required.

 

Using PowerShell

The certificate can also be imported using PowerShell.

Change highlighted values first!

# import the certificate to 'Trusted Root Certification Authorities'
Import-Certificate -FilePath 'C:\temp\nps_ca_or_self-signed_public-key.cer' -CertStoreLocation 'Cert:\LocalMachine\Root\'

# restart IIS web server
iisreset /restart

 

Linux web server (Ubuntu/Debian)

Install the public key to the trusted ca-certificates and reload your web server.

Change highlighted values first!

# copy the exported certificate over to the trusted ca-certificates folder
sudo cp nps_ca_or_self-signed_public-key.cer /usr/local/share/ca-certificates/netwrix_password_secure.crt

# update the trusted ca-certificates list
sudo update-ca-certificates

# reload Apache2
sudo service apache2 reload

# or Nginx
sudo service nginx reload

 

 

Related articles