LetsEncrypt with ServiceDeskPlus

I thought I had typed this up at one point, but apparently I can’t find it on the blog. Here’s the steps I take to install and renew SSL certificates for ServiceDeskPlus MSP using LetsEncrypt. I’ve adapted these notes for public consumption.

My environment is a Windows Server that hosts the SDP MSP instance.

On the SDP MSP host, generate a certificate. I am using Certbot Win32 on the Windows host.

certbot certonly --standalone -d servicedesk.example.com

The generated certificate files will be in: C:\certbot\archive\servicedesk.example.com

Create PFX for import into ServiceDeskPlus MSP

Copy the privkeyX.pem, certX.pem, chainX.pem from the above directory to a machine that has OpenSSL tools installed (most Linux).

NOTE: Where X is the number in iteration; at the time of this documentation it is 2.

Issue the following command to generate a PFX, specifying the passphrase to use.

  • Linux with OpenSSL package installed:
openssl pkcs12 -export -out certificate.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem
  • Windows host with OpenSSL 32/64 installed:
"\openssl\bin\openssl.exe" pkcs12 -export -out certificate.pfx -inkey privkey2.pem -in cert2.pem -certfile chain2.pem -password pass:PASSPHRASEHERE

Prepare the Certificate for Import into SDP MSP

Copy the certificate.pfx file to your computer

Update ServiceDeskPlus MSP

  1. Log into ServiceDeskPlus MSP web. Go to Admin. Search for SSL (it will load the Import SSL Certificate).
  2. Select the generated certificate.pfx on the webpage, providing the passphrase set above.
  3. Once imported successfully, must restart ServiceDeskPlus MSP. Can be done on the Windows server in Services.

Error Importing?

NOTE: The Java version of SDP MSP appears to not support the algorithm used to create the certificate when I try to import via the SDP MSP web admin interface. I get the following error in the log dump:

Invalid KeySpec: unknown PRF algorithm 1.2.840.113549.2.9

So work around is to Import the certificate.pfx that was just created into the computer’s Personal store then export it using TripleDES-SHA1 encryption.

Import:

  1. Double click the certificate.pfx file which launches an import certificate wizard.
  2. Click the Local Machine and click Next.
  3. Check the file location of the certificate and press Next.
  4. Enter the Password and enable “Mark this key as exportable” and press Next.
  5. Choose the appropriate certificate store, in this example the personal certificate store is chosen. After that, press Next.
  6. Click Finish to complete the import.

Export:

  1. Launch Microsoft Management Console. Press Win+R, type in mmc and press OK.
  2. Click File and select the Add/Remove Snap-in option.
  3. Click on Certificates in the list of Available snap-ins and then, on the Add button.
  4. Select Computer account and click Next.
  5. Choose Local Computer and click on the Finish button.
  6. Click OK to add the certificate snap-in and get back to console.
  7. Expand the Personal store in the left-side menu, and choose Certificates. Right-click on the certificate you want to export All Tasks > Export.
  8. This will run the Certificate Export Wizard.
  9. If the radio button ‘Yes, export the private key’ is grayed out, it means that either the private key was not marked as exportable during the certificate request generation, or that you do not have the corresponding private key on the machine you are using.
    • Note: if you used IIS Manager certificate request wizard to generate the CSR code, the private key will be marked as exportable by default. In this case, you will not be able to create a PFX file, only export the certificate without the private key. To have the opportunity to export the certificate to another machine, you will need to create a new CSR code marking the private key as exportable and perform a certificate reissue. Otherwise, you can generate a new CSR code for the same common name on the new machine and import the certificate to it after the reissue is completed.
  10. If you can export the private key, proceed to the next stage. The window Export File Format will have the format Personal Information Exchange – PKCS #12 (.PFX) selected. Please check Include all certificates in the certification path if possible to have the certificate exported with the chain of intermediate CA certificates into a .pfx file. Then click Next.
    • Note: do not choose ‘Delete the private key if the export is successful’.
  11. Type and confirm password on the next window and click Next. Make sure you remember the password; it will be used later during the import of a .pfx file to a new server.
    • Note: The encryption method used for the password has to be ‘TripleDES’. Also, the password should not contain the symbol ‘&’
  12. In the File to Export window select the name and location of the .pfx file to which the certificate and private key will be exported.
  13. Click Finish to complete the export wizard. The certificate has been successfully imported.

Update ServiceDeskPlus MSP:

  1. Log into ServiceDeskPlus MSP web. Go to Admin. Search for SSL (it will load the Import SSL Certificate).
  2. Select the generated certificate.pfx on the webpage, providing the passphrase set above.
  3. Once imported successfully, must restart ServiceDeskPlus MSP. Can be done on the Windows server in Services.

Other Thoughts

I think I can take advantage of certutil on Windows to import/export the certificate to avoid a lot of manual work. I know I can import the certificate easily, just haven’t tinkered with exporting it to meet the requirements of SDP MSP.

Something like this will import: certutil -f -p PASSPHRASE -importpfx certificate.pfx

Published by

Rich

Just another IT guy.

Leave a Reply

Your email address will not be published. Required fields are marked *