• Filenames is a list of files to be code signed. To specify more then one file, seperate each filename or file path with the asterisk character. Enclose the file path with quotes if it contains spaces. Example: DigiCertUtil.exe sign /kernelDriverSigning 'example.exe.driver.sys'.
• On the Lync Front End server download DigiCertUtil.exe and save the application anywhere on the server. This package is the actual application and not an installation package so just drop it on the desktop for quick access.

---Current as of Sept. 15, 2014---

After spending countless hours trying to make heads or tails of all of the various tutorials online, I decided to put together my own so that I can hopefully save at least one person from going grey too early.

NOTES:
- This is very possibly not the 'correct' way to do it, but it works. I'm definitely open to editing this post if someone can provide a better way, but for right now, these steps will get you going.
- This will not force the user to HTTPS, so if someone browses to the non-HTTPS version, they will see the non-HTTPS version. I leave it as an exercise for the user to determine his or her best way to force it. For posterity's sake, since I know someone will ask: I have my non-HTTPS SpiceWorks port set to something random [3958 or something] in the 'C:Program Files (x86)Spiceworkshttpdconfhttpd.conf' file right at the top, on the 'Listen ....' line, and then I have an empty IIS7 site set up that only listens on port 80, and under the 'HTTP Redirect' section, I have 'Redirect direct requests to this destination' - 'http:///portal' and 'Redirect all requests to exact destination (instead of relative to destination)' checked.

7 Steps total

In my scenario I used the digicertutil.exe to export. Digicert is the best. C: OpenSSL-Win32 binopenssl.exe pkcs12 -in tickets.pfx -nocerts -out ssl-private-key.pem -nodes Enter Import Password: MAC verified OK. C: OpenSSL-Win32 binopenssl.exe pkcs12 -in tickets.pfx -clcerts -nokeys -out ssl-cert.pem Enter Import Password: MAC verified OK. The DigiCert Certificate Utility for Windows is an invaluable tool for anyone that manages SSL and Code Signing Certificates. It provides features like automatic CSR creation and SSL Certificate installation, easy code signing, and certificate troubleshooting and management.

Step 1: Create a Certificate Signing Request in IIS7

- Open IIS Manager (not 6.0)
- Select the top level server object on the left hand panel (usually listed right below 'Start Page')
- Under 'IIS' section, open 'Server Certificates'
- Choose 'Create Certificate Request' from the right hand panel
- Enter the server's hostname (the public hostname if this server will be internet-facing) in 'Common Name' and fill out the rest of the fields accurately as your Certificate Authority (e.g. GoDaddy) will be verifying that they are correct
- Click Next
- Change Bit Length to at least 2048 (4096 is preferred)
- Click Next
- Enter a path and file name to write the certificate request to (e.g. 'C:TempCertificateRequest.csr')
- Click Finish

Step 2: Purchase cert using the certificate request generated in step 1

- If given the option (I know GoDaddy offers this), when downloading the approved certificate, choose the 'IIS7' format
- Download and extract the certificate from the CA

Step 3: Import purchased cert into IIS when approved

- Open IIS Manager (not 6.0)
- Select the top level server object on the left hand panel (usually listed right below 'Start Page')
- Under 'IIS' section, open 'Server Certificates'
- Choose 'Complete Certificate Request' from the right hand panel
- In the first field, browse to find the completed certificate that you downloaded from your CA (you may have to change the search to *.* rather than *.cer if your CA provided the file as a .crt file)
- In the 'Friendly Name' field, enter something like 'Spiceworks ' so you can differentiate it if you forget to delete the request from IIS when you're done.
- Click OK

Step 4: Export to .pfx format

Digicert Windows Tool

- Export cert to file called 'tickets.pfx' by right-clicking the certificate with the same 'Name' as the one you created in step 3, choose a password to secure the certificate with, and place in 'C:Program Files (x86)Spiceworkshttpdssl'

Step 5: Stop Spiceworks service

Step 6: Open an administrator command prompt

Open an Administrator command prompt (right click 'Command Prompt' and Run As Administrator) and enter the following commands:
(When you are prompted for the import password, enter the password you created in step 4)

cd 'C:Program Files (x86)Spiceworksbin'
openssl.exe pkcs12 -in ..httpdssltickets.pfx -nocerts -out ..httpdsslssl-private-key.pem -nodes
openssl.exe pkcs12 -in ..httpdssltickets.pfx -clcerts -nokeys -out ..httpdsslssl-cert.pem
openssl.exe rsa -in ..httpdsslssl-private-key.pem -out ..httpdsslssl-private-key.pem
openssl.exe rsa -text -in ..httpdsslssl-private-key.pem

Step 7: Restart Spiceworks service

- SpiceWorks may take longer to start up than normal using a full core for up to 5 minutes but as far as I can tell, it's just loading the cert, and once that 5-ish minutes (on an Intel Core i7-3620CM CPU) are up, it goes back to normal.

Digicertutil.exe

You should now see your purchased certificate when you browse to the SSL-ified URL of your SpiceWorks install!

Digicertutil.exe

15 Comments

• Cayenne
  Stephan S Jan 21, 2015 at 12:09am

  Worked for me! I, too, had spent some time looking for recent how-to's. Thanks for sharing!

• Anaheim
  Tim Jeffries May 15, 2015 at 05:00pm

  Install the OpenSSL light and C++ Redistributables on your PC if you're having issues with Server 2012 R2 like I was.
  These Command Finally worked. I put the PFX in the OpenSSL Bin folder to simply things. Way more work and research than should have been needed...
  I got the PFX by exporting the cert in PFX format including private key. In my scenario I used the digicertutil.exe to export.
  Digicert is the best.

  C:OpenSSL-Win32bin>openssl.exe pkcs12 -in tickets.pfx -nocerts -out ssl-private-key.pem -nodes
  Enter Import Password:
  MAC verified OK

  C:OpenSSL-Win32bin>openssl.exe pkcs12 -in tickets.pfx -clcerts -nokeys -out ssl-cert.pem
  Enter Import Password:
  MAC verified OK

  C:OpenSSL-Win32bin>openssl.exe rsa -in ssl-private-key.pem -out ssl-private-key.pem
  writing RSA key

  C:OpenSSL-Win32bin>openssl.exe rsa -text -in ssl-private-key.pem

• Anaheim
  ProTranslatingFrank Jan 11, 2016 at 07:20pm

  After the configuration is done, I get this error:

  This page can’t be displayed

  Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, contact your site administrator.

  I'm on Windows Server 2008 R2

• Jalapeno
  mtuma5672 Jan 13, 2016 at 05:09pm

  I'm getting the same error. What did we do wrong?

• Jalapeno
  1ronman Feb 23, 2016 at 11:35pm

  very good article, this post did very well worked for me

• Sonora
  Turd_Ferguson Mar 23, 2016 at 03:25pm

  Had to perform these steps on a PC instead of the server (much like @Tim Jeffries said), then copy the created .pem files to the C:Program Files (x86)Spiceworksbin folder. On the server I kept receiving an error - 'WARNING: can't open config file: E:sw-platform7.5-6export/ssl/openssl.cnf writing RSA key'. I don't even have an E: drive!

• Pimiento
  Daviker Ltd Apr 15, 2016 at 06:21pm

  Hey Turd, Im getting the same thing. Did you resolve it?

• Sonora
  MikeBerry Apr 21, 2016 at 12:18pm

  Same problem here. Any joy? It seems to be since the last update of Spiceworks...

• Anaheim
  charleslatham May 30, 2016 at 08:21pm

  I got the same errors (Server 2012) but it still worked for me. Don't forget to not use the internal port (9675) -- instead use 9676 and be sure to use your FQDN instead of anything internal.

• Serrano
  xannash Aug 19, 2016 at 04:56pm

  With the errors it still worked for me but it did not work on all browsers (looking at you Firefox)...

  So to add to this:
  The intermediate certificate is also needed for some browsers to work in order to do this you will need to have downloaded the Apache version from GoDaddy also and copy the gd_bundle-g2-g1.crt into C:Program Files (x86)spiceworkshttpdssl folder.

  Then edit C:Program Files (x86)Spiceworkshttpdconfhttpd.conf
  Find this line at the bottom of the file:
  SSLCertificateKeyFile 'ssl/ssl-private-key.pem'

  Directly under it type the following:
  SSLCertificateChainFile 'ssl/gd_bundle-g2-g1.crt'

  Save (you may have to save it to another location and then copy and replace it) and restart the service.

• Anaheim
  JohnPass Sep 14, 2016 at 02:04pm

  Thanks for the assistance, this worked great for me once I knew to do this on my local machine rather than the server (Server 2012 R2 does not play ball as you say).

• Pimiento
  Dr. Ashley Jan 26, 2017 at 06:51pm

  Thank you! I had an existing wildcard cert so I started at step 4 after exporting it from a different Windows 2012 server as mydomain.pfx then I simply replaced the old cert file in C:Program Files (x86)Spiceworkshttpdssl (which was also named mydomain.pfx) and ran the commands.

• Pimiento
  dillonalexander Jul 31, 2018 at 12:58pm

  I know this is old, but I need some help on this. I followed the directions above, but the certificate isn't taking affect. Spiceworks till shows as not secure.

• Datil
  jonahzona Nov 27, 2018 at 11:28pm

  Thank you for this. I really don't understand why CA's don't allow you to download the certs in the format you need. I have spent countless hours using openssl and this one was giving me fits. Your tutorial worked perfectly.

  Thanks.

• Sonora
  gloayza Feb 14, 2019 at 03:03pm

  This feels a little hack-y to me, dropping your own cert right in the program files like that, but it works and I'm now using a legitimate cert signed by my AD CA.
  Thanks so much!

Digicertutil Exe Download

Step-by-step

Digicertutil.exe Command Line

1. IBM Watson IoT Platform: Creating Your CSR with the DigiCert Utility

   The DigiCert® Certificate Utility for Windows streamlines the CSR creation process enabling you to generate the CSR with just one click.

   1. On your Windows workstation, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).
   2. Run the DigiCert Certificate Utility.
      Double-click DigiCertUtil.
   3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), and then, click Create CSR.
      
   4. On the Create CSR page, enter the following information:
      • Certificate Type: Select SSL.
      • Common Name: Enter the fully qualified domain name (FQDN) (e.g., <org_id>.messaging.internetofthings.ibmcloud.com).
      • Subject Alternative Names: N/A (Multi-domain certificates are not supported yet.)
      • Organization: Type your company’s legally registered name (e.g., YourCompany, Inc.).
      • Department: (Optional) Enter the department within your organization that you want to appear on the SSL certificate.
      • City: Type the city where your company is legally located.
      • State: In the drop-down list, select the state where your company is legally located.
        If your company is located outside the USA, you can type the applicable name in the box.
      • Country: In the drop-down list, select the country where your company is legally located.
      • Key Size: In the drop-down list, select 2048.
      • Provider: In the drop-down list, select Microsoft RSA SChannel Cryptographic Provider, unless you have a specific cryptographic provider.
        
   5. Click Generate.
   6. On The certificate request has been successfully created page, do one of the following, and then, click Close:
      • Click Copy CSR: Copies the certificate contents to the clipboard.
      • Click Save to File: Saves the CSR as a .txt file to the Windows workstation.
        We recommend that you use this option.
        
   7. Use a text editor (such as Notepad) to open the file. Then, copy the text, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags, and paste it into the DigiCert order form.
   8. After you receive your SSL certificate from DigiCert, you can install it.

2. IBM Watson IoT Platform: Using the DigiCert Utility & IBM Watson Console to Install Your SSL Certificate

   If you have not yet used the DigiCert® Certificate Utility for Windows to create a CSR and ordered your certificate, see Step 1.

   After receiving your SSL certificate, you need upload it to your IBM Watson IoT Platform account and configure your messaging server to use it.

   To install your IBM Watson Platform messaging server SSL certificate, you need to complete three tasks:

   i. Import your SSL certificate to your Windows workstation using the DigiCert® Certificate Utility for Windows.

   ii. Export the SSL certificate in Apache compatible format (separate .key and .crt files) using the DigiCert® Certificate Utility for Windows.

   iii. Upload and implement your messaging server SSL certificate using the IBM Watson IoT Platform Management Console.

   i. How to Import Your SSL Certificate Using the DigiCert Certificate Utility

   After we validate and issue your SSL certificate, you can use the DigiCert® Certificate Utility for Windows to import the file to your Windows workstation.

   1. On the Windows workstation where you created the CSR, save the SSL certificate .cer file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.cer) that DigiCert sent to you.

   2. Run the DigiCert® Certificate Utility for Windows.
      Double-click DigiCertUtil.

   3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then click Import.
      

   4. In the Certificate Import window, under File Name, click Browse to browse to the .cer (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.cer) certificate file that DigiCert sent you, select the file, click Open, and then click Next.
      
   5. In the Enter a new friendly name or you can accept the default box, enter a friendly name for the certificate. The friendly name is not part of the certificate; instead, it is used to identify the certificate.
      We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-DigiCert-expirationDate. This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
      

   6. To Import the SSL certificate to your Windows workstation, click Finish.
      You should receive a message that the certificate was successfully imported.

   7. You should now see your SSL certificate in the DigiCert Certificate Utility for Windows©, under SSL Certificates.

   ii. How to Export Your SSL Certificate Using the DigiCert Certificate Utility

   To make an SSL connection, your server needs two parts, a private key file and the certificate file. Apache (and many other server types) separate these two certificate parts into separate .key and .crt files.

   1. Run the DigiCert® Certificate Utility for Windows.
      Double-click DigiCertUtil.

   2. In DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the SSL certificate you want to export, and then click Export Certificate.
      

   3. In the Certificate Export wizard, select b, select key file (Apache compatible format), and then click Next.
      

   4. In the File name box, click … to browse for and select the location and file name where you want to save the certificate .key file, and then click Finish.
      This creates the following file. You will need to upload the private key and server certificate to your account using your Watson IoT Platform Management Console.

      • Private Key:<org_id>_messaging_internetofthings_ibmcloud_com.key
      • Server Certificate:<org_id>_messaging_internetofthings_ibmcloud_com.crt
        
   5. After you receive the “Your certificate and key have been successfully exported” message, click OK.

   iii. IBM Watson IoT Platform: Installing Your SSL Certificate

   Once you have the private key and certificate files, you can upload them to your IBM Watson IoT Platform account and configure your messaging server to use the SSL certificate.

   1. In a browser, open and log into the IBM Watson IoT Platform account.
   2. On the All Boards page, in the sidebar menu on the left, click Settings (gear icon).
      
   3. On the General Settings page, in the menu in the left pane, under Security, click Messaging Server Certificates.
      
   4. Add SSL Certificate and Private Key
      a. In the Messaging Server Certificates section, click + Add Certificate.
      b. Upload SSL Certificate
      In the Upload certificate window, next to Certificate File, click Select a file and then locate and select your server certificate .crt file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.crt).
      
      c. Upload Private Key
      Next to Private Key, click Select a file and then locate and select your private key file (e.g., <org_id>_messaging_internetofthings_ibmcloud_com.key).
      d. Once the certificate and private key are uploaded, click Save.
      
   5. On the Security page, in the Messaging Server Certificates section, in the Currently Active Certificate drop-down list, select your newly uploaded SSL certificate.
      
   6. In the Confirmation window, click Confirm to designate your new SSL certificate as the active certificate.
      
   7. Check SSL Certificate
      a. Open a browser and go to https://www.digicert.com/help/.
      b. On the DigiCert® SSL Installation Diagnostics Tool page, in the Server Address box, type your fully qualified domain name (FQDN) (e.g., <org_id>.messaging.internetofthings.ibmcloud.com) and then click Check Server.
      c. Once the tool displays your results, verify that the certificate details match your certificate and what you expected to see.
      For example, you can compare certificate attributes such as the serial number, common name, issuer, and expiration date.
   8. Congratulations! You have successfully installed and configured your SSL certificate for your messaging server.