Requirement
A separate web server (not running on the application server) should be used.
Prerequisites
- Basic know-how about certificates
- Administrator/Root privileges on the web server
Procedure
Export the public key of your Password Secure application server certificate.
Run certlm.msc (Computer Certificate Management Console), select the correct certificate and choose All Tasks → Export.
Do not export the private key, as it is not necessary and would be a security risk!
Select Base-64 encoded binary format
Save it and transfer it to your web server.
Using PowerShell
The certificate can also be exported using PowerShell.
Change highlighted values first!
# list all relevant certificates
# copy the thumbprint of the certificate you want to export
Get-ChildItem Cert:\LocalMachine\My\ | Where -Property Subject -notlike 'CN=psrKey*' | Sort-Object FriendlyName | Format-Table -AutoSize -Property FriendlyName, Thumbprint, Subject,NotBefore, NotAfter
# export the selected certificates public key
$cert = Get-ChildItem Cert:\LocalMachine\My | where Thumbprint -eq 'EA0B3[...]95C50'
$base64certificate = @"
-----BEGIN CERTIFICATE-----
$([Convert]::ToBase64String($cert.Export('Cert'), [System.Base64FormattingOptions]::InsertLineBreaks))
-----END CERTIFICATE-----
"@
Set-Content -Path 'C:\temp\nps_ca_or_self-signed_public-key.cer' -Value $base64certificate
Transfer the file to your web server.
Windows web server
Install the certificate to Local Machine → Trusted Root Certification Authorities
A restart of your IIS web server might be required.
Using PowerShell
The certificate can also be imported using PowerShell.
Change highlighted values first!
# import the certificate to 'Trusted Root Certification Authorities'
Import-Certificate -FilePath 'C:\temp\nps_ca_or_self-signed_public-key.cer' -CertStoreLocation 'Cert:\LocalMachine\Root\'
# restart IIS web server
iisreset /restart
Linux web server (Ubuntu/Debian)
Install the public key to the trusted ca-certificates and reload your web server.
Change highlighted values first!
# copy the exported certificate over to the trusted ca-certificates folder
sudo cp nps_ca_or_self-signed_public-key.cer /usr/local/share/ca-certificates/netwrix_password_secure.crt
# update the trusted ca-certificates list
sudo update-ca-certificates
# reload Apache2
sudo service apache2 reload
# or Nginx
sudo service nginx reload
Comments