FAQs

Step by step instructions on how to import the SecureNT Intranet SSL Certificate PFX file in Windows IIS Server (any version). It’s a two-step process.

Step-1: How to Import the PFX File in IIS

1. From the Start menu, type MMC, and click OK

2. In the User Account Control window, click Yes

3. In the Console window, in the menu at the top, click File > Add/Remove Snap-in.

4. In the Add or Remove Snap-ins window, under Available snap-ins click Certificates and then, click Add.

5. In the Certificates snap-in window, choose Computer account and then, click Next.

6. In the Select Computer window, select Local computer: (computer this console is running on), and then, click Finish.

7. In the Add or Remove Snap-ins window, click OK.

8. From the Console window, from the Console Root folder, expand Certificates (Local Computer) (the certificate file will be in Personal or Web Hosting folder).

9. Right-click on the certificate file which you want to import and then click All Tasks > Import

10. On the Welcome to the Certificate Import Wizard page, click Next.

11. Follow the instructions to import the primary SSL certificate from the PFX file

12. On the Certificate Store page, select Automatically select the certificate store based on the type of certificate.

13. Double-check your settings and then click Finish

You should see “The import was successful” message.

Step-2: How to Enable the SSL Certificate

1. From the start menu, search for Administrative Tools, open it, and double-click on Internet Information Services (IIS) Manager.

2. Under Connections, expand your server’s name, expand Sites, and then, click the site that you want to encrypt.

3. In the Actions menu, under Edit Site, click Bindings.

4. In the Site Bindings window, click Add.

5. In the Add Site Binding window, from the drop-down lists select: HTTPS, All Unassigned, and enter port 443.

6. From the SSL certificate drop-down list, select the certificate you want to import

7. Click OK and restart your IIS server

SecureNT Intranet SSL certificate is now installed on IIS.

Following article has the steps shown with screen-shots:

How to Import the SSL Certificate w/Private Key.pfx File

Zip file sent by us has the server certificate (server.pfx) in PFX (PKCS12) format. It needs to be imported into the Tomcat/JBoss Keystore file.

To import the SecureNT Intranet SSL Certificate into the Tomcat/JBoss Keystore, use the following command.

keytool -importkeystore -deststorepass inetssl2 -destkeypass inetssl2 -destkeystore [tomcatjbosskeystorefile] -srckeystore server.pfx -srcstoretype PKCS12 -srcstorepass inetssl2 -alias [tomcat/jboss]

In the above command replace the tomcatjbosskeystorefile with the Tomcat / JBoss Keystore file you have on your computer.

Also Check: Tomcat keeps its configuration information in the server.xml file. Make sure Tomcat is reading the correct Tomcat / Jboss Keystore file and that port 8443 is enabled for secure connections.

To proceed with the installation, you need to download the certificate zip file and extract its contents onto your device.

Step 1: Set up a Folder for Storing SSL Files

Create a new folder on your XAMPP server to store the SSL files. You will use this folder to store the SSL files for your XAMPP HTTPS setup. Unzip all files here.

Step 2: Locate the Configuration File for Your Localhost Website

There are two methods for finding the configuration file for your website:

1. Method 1: Click Config in the XAMPP control panel and select Apache (httpd-ssl.conf).

2. Method 2: Use the file explorer to find the configuration file located in the folder where you installed the XAMPP control panel.

Step 3: Edit the Virtual Host for Port 443

Open the configuration file in a text editor, such as Notepad, and make the necessary changes. Here’s an example of what the virtual host for port 443 should look like after editing:

DocumentRoot “/var/www”
ServerName intranet-common-name (e.g., localhost)
ServerAlias
SSLEngine on
SSLCertificateFile “D:/xampp/yourwebsite/ssl/server.cer”
SSLCertificateKeyFile “D:/xampp/yourwebsite/ssl/serverkey.cer”
SSLCACertificateFile “D:/xampp/yourwebsite/ssl/CA-bundle.cer”

Note: Remember to replace the server name, alias, and certificate paths with the actual values that apply to your setup. And copy the server.cer, serverkey.cer and CA-bundle.cer to the required path viz., D:/xampp/yourwebsite/ssl/

Step 4: Restart the Server

Finally, restart the server by clicking Stop in the XAMPP control panel, then Start. This will ensure that the new SSL certificate is properly applied.

Test your SSL Installation

After you install an SSL Certificate in XAMPP, you should test the certificate installation by visiting your intranet common name on the browser using https protocol.

One can use Microsoft Group Policy to install SecureNT CA certificates on large number of PCs automatically. Here is link to our blog which explains how to do it.

Please follow the below steps.

Android 11+ Device

In Android 11+, to install a CA certificate, users need to manually:

1. Open Device settings
2. Go to ‘Security’
3. Go to ‘Encryption & Credentials’
4. Go to ‘Install from storage’ or ‘Install a certificate’ (depending on devices)
5. Select ‘CA Certificate’ from the list of types available
6. Accept a warning alert.
7. Browse to the certificate file on the device and open it
8. Confirm the certificate installation

Samsung Device:

Settings:

• Biometrics and security
• Other security settings
• Install from device storage
• CA Certificate
• Install Anyway

Check this:

1. Please check if you have installed Intranet Root/Intermediate CA Certificates on Windows PCs or Macs. If they are already installed then it could be an antivirus blocking access to the root certificate, thinking that is not a trusted root certificate. In this case, create an exception in the setting of the anti-virus to allow access to SecureNT Intranet root/intermediate CA certificates.

2. On Windows PCs ensure that Intranet Root CA Certificate is installed under “Trusted Root Certification Authorities”; and that Intranet Intermediate CA Certificate is installed under “Intermediate Certification Authorities”.

To install the SecureNT Intranet Root/Intermediate CA Certificates follow the steps given here. They need to be installed once, on each Windows client PC. On a Mac, customers will need to open Keychain Manager and explicitly trust each of the two root certificates.

To automate the installation of root certificates on multiple machines, one can use Microsoft’s Group Policy for PCs; and Parallel’s Device Management for Macs. Click here to find the installation details.

Firefox does not use the operating system’s certificate store for storing the root certificates. So, the root certificate chain is added differently. Read this article for details. (https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox)

This sometimes happens due to Antivirus or End Point Security software. They don’t trust non-public Root Certificates and tell the browser that the Intranet Root Certificate is not trusted.

In one case, we noticed that AVG antivirus intercepted the network connection by keeping its own SSL in between, passing an error to the browser that SecureNT Root Certificate is not trusted. The customer created an exception for the error and the browser error stopped.

This problem is not seen with Avast antivirus. Just for information.

1. Copy the required certificate files to your server from the supplied zip file.

   a. server.cer (File #1)
   b. SecureNT CA-Bundle.cer (File #5)

   Copy these files, along with the .key file (Private Key) you generated when creating the CSR, to the directory on the server where you keep your certificate and key files. Use serverkey.cer (File #2, Private Key) when generated by SecureNT.
   Note: Make them readable by root only to increase security.

2. Find the Apache configuration file (httpd.conf) you need to edit.
   The location and name of the configuration file can vary from server to server—especially if you're using a special interface to manage your server configuration.

   • Apache's main configuration file is typically named httpd.conf or apache2.conf. Possible locations for this file include /etc/httpd/ or /etc/apache2/. For a comprehensive listing of default installation layouts for Apache HTTPD on various operating systems and distributions, see Httpd Wiki - Distros Default Layout.
   • Often, the SSL certificate configuration is located in a block in a different configuration file. The configuration files may be under a directory like /etc/httpd/vhosts.d/, /etc/httpd/sites/, or in a file called httpd-ssl.conf.

One way to locate the SSL Configuration on Linux distributions is to search using grep, as shown in the example below. Run the following command:

grep -i -r "SSLCertificateFile" /etc/httpd/

Note: Make sure to replace /etc/httpd/ with the base directory of your Apache installation.

3. Configure the block for the SSL-enabled site

   a. Below is a very simple example of a virtual host configured for SSL. The parts listed in blue are the parts you must add for SSL configuration.

<VirtualHost 192.168.0.1:443>
    DocumentRoot /var/www/html2
    ServerName www.yourdomain.com
        SSLEngine on
        SSLCertificateFile /path/to/server.cer
        SSLCertificateKeyFile /path/to/your_private.key
   SSLCertificateChainFile /path/to/SecureNT CA-Bundle.cer
</VirtualHost>

b. Make sure to adjust the file names to match your certificate files.

• SSLCertificateFile is your SecureNT certificate file (e.g., server.cer).
• SSLCertificateKeyFile is the .key file generated when you created the CSR (e.g., serverkey.cer or your_private.key).

• SSLCertificateChainFile is the SecureNT CA certificate file Bundle (e.g., SecureNT CA-Bundle.cer)

  Note: If the “SSLCertificateChainFile” directive does not work, try using the “SSLCACertificateFile” directive instead.

4. Test your Apache configuration file before restarting.

As a best practice, check your Apache configuration file for any errors before restarting Apache.

Caution: Apache won't start again if your configuration files have syntax errors. Run the following command to test your configuration file (on some systems, it's apache2ctl):

apachectl configtest

5. Restart Apache. You can use apachectl commands to stop and start Apache with SSL support.

   apachectl stop
   apachectl start

Restart Notes: If Apache doesn't restart with SSL support, try using apachectl startssl instead of apachectl start. If SSL support only loads with apachectl startssl, we recommend you adjust the apache startup configuration to include SSL support in the regular apachectl start command. Otherwise, your server may require to manually restart Apache using apachectl startssl in the event of a server reboot. This usually involves removing the <IfDefine SSL> and </IfDefine> tags that enclose your SSL configuration.

Congratulations! You've successfully installed your SSL certificate.

Downloading and Installing the SAPGENPSE Cryptography Tool

Download the SAPGENPSE Cryptography tool that is part of the SAP Cryptographic Library in the SAP Service Marketplace and install it.

On the Data Integration Service machine, download the latest available patch for the SAPGENPSE tool based on the operating system.

At the command prompt, navigate to the directory that contains the SAPCAR.EXE file and the SAPCRYPTOLIB_*.SAR file.

Extract the SAR file. For example, enter the following command at the command prompt:

sapcar.exe -xvf SAPCRYPTOLIB_39-10010895.SAR

The SAPGENPSE files are extracted to the nt-x86_64 directory within the current directory.

Then rename following 2 files:

"SecureNT Intranet Root CA.cer" --> SecureNT_Intranet_Root_CA.cer
"SecureNT Intranet Intermediate CA.cer" --> SecureNT_Intranet_Intermediate_CA.cer

Following commands will install the Intranet SSL on the SAP server.

sapgenpse import_12 -p /usr/sap/ssl/SAPSSLS.pse -r SecureNT_Intranet_Root_CA.cer -r SecureNT_Intranet_Intermediate_CA.cer /usr/sap/ssl/server.pfx

setenv SECUDIR /usr/sap/WS4/W00/sec/

sapgenpse seclogin -p SAPSSLS.pse

Breakdown:

-p SAPSSLS.pse: Specifies the name of the PSE file, in this case, SAPSSLS.pse.

-r RootCA.cer: This imports the Root Certificate Authority (CA) certificate into the PSE.

-r IntermediateCA.cer: This imports the Intermediate CA certificate, which can act as a bridge between the Root CA and the end entity certificate.

server.pfx: This file contains the actual SSL certificate in PFX format, which is a combination of a private key and the issued certificate.

Key Point: The -r option is used multiple times to specify certificates that are being imported into the SAP Personal Security Environment (PSE). In this case, the Root CA and Intermediate CA certificates.

How to install SecureNT CA certificates on SAP Basis ABAP

1. Execute the tcode: Strust. You will see "Trust Manager: Display"
2. Click on "Change" mode located on top left corner. You will see "Trust Manager: Change"
3. Goto the certificate section and double click on it.
4. Select "SSL Client SSL Client (Standard)". Press Right Click and select "Create".
5. Click on "Import Certificate" (It's located on bottom left. First icon)
6. In the Import Certificate dialog box specify the associated file name from the file system. The CA certificates are "SecureNT Intranet Root CA.cer" and "SecureNT Intranet Intermediate CA.cer"
7. Select the CA certificates one by one. And click on Open button.
8. You should see the certificate displayed in the certificate section. Click on "Add to Certificate List" and Save the CA certificate. Repeat it for the second CA certificate.
9. The CA certificates will get added to the certificate list in the PSE maintenance section.
10. Click "Save" button located on top (floppy disk).
11. Restart the server "stopsap"

It’s a good question. If public CA could issue SSL certificates for internal names like local hosts, IP addresses, or server names then we - Private Certifying Authority (CA) - won’t exist.

We issue SSL certificates to local hosts, server names, IP addresses and internal URLs. They are SSL certificates for internal network names. And our CA certificates are not trusted by the browsers and the client Operating Systems like Windows.

Reason for this situation is that CA/browser Forum which governs Public Certifying Authorities (CA) decided in 2015 that public CA can’t issue SSL certificates to Internal Names and internal IP addresses. See this file for details.

Hence Public CAs like Let’s Encrypt, DigiCert, GlobalSign, EnTrust etc. can’t issue SSL certificates for internal networks.

So, who so ever issues SSL for Internal Names or internal IP addresses have to issue them with non-public/Private CA roots only.

When you use such SSL certificates Operating System vendors and browsers don’t trust them because of CA Browser Forum’s policy. So, for browser to trust them customer needs to install Private CA roots on to each client device. This needs to be done once only. Once done you won’t have to do it again. It’s super easy to install using Microsoft Group Policy. See our blog page for details.

Our customers use SecureNT Intranet SSL certificates for internal web application like ERP, Email, HRMS, CRM, Service Desk, Analytics, etc and so on. These are very critical applications for their business. So, due to our certificates important flowing on the internal networks is encrypted. And their data is protected from the hackers and employees with wrong intentions.