Creating SSL certificates for Mindbreeze Client in Windows
Last update: 14 January 2021 (cf, ck)
Summary
In a default Mindbreeze installation, a self-signed SSL webserver certificate is issued for use of the Mindbreeze Client Service. On the client webbrowsers, this may bring up security warnings about the untrusted or unsecure certificate.
In an enterprise environment with an own public-key-infrastructure (PKI) we recommend to use an SSL certificate issued by your own PKI for the Mindbreeze Client Service.
Please note: If you import an SSL certificate issued by a Windows PKI, Mindbreeze may misinterpret the certificate as a CA instead of an SSL certificate. This issue is induced by the missing certificate field "Basic Constraints" Mindbreeze is using to identify an SSL certificate. This guide will show how to create a certificate including this field.
Hint: For creating certificates for the communication/authentication between Fabasoft Folio and Mindbreeze Enterprise, please see the article Renew trusted peer certificates (Folio/Mindbreeze) .
Information
The Mindbreeze Enterprise Client Service (the Mindbreeze Web Userinterface) uses SSL encryption. The default self-signed certificate will not be trusted by your clients therefore security warnings will appear. If you use an SSL certificate from your Windows Active Directory integrated PKI, your SSL certificate is issued by your own CA. Your CA is trusted automatically in your Active Directory domain, so no more security warnings will come up.
Solution
This guide refers to a Microsoft Windows 2008 PKI and consists of three steps:
- Creating a Certificate Template including the needed field "Basic Constraints".
- Creating and exporting the SSL certificate.
- Removing the passphrase with openssl
Creating a Certificate Template
To understand the following steps, please read the following external guide first:
http://www.derekseaman.com/2012/05/how-to-create-custom-microsoft-ca-ssl.html
- With the guide linked, create a Certificate template by duplicating the default template " Web Server ".
- Open the properties of the new template
- On the Request Handling tab, enable the "Allow private key to be exported".
- On the Extensions tab, edit the Basic Constraints extension. Check "Enable this extension".
- Commit the template changes by clicking OK .
Creating and exporting the SSL certificate
See the section "Request new certificate" in the (same) article:
http://www.derekseaman.com/2012/05/how-to-create-custom-microsoft-ca-ssl.html
- With the guide linked, create a Certificate request in the MMC Certificates snap-in.
- Use the new certificate template created above.
- Edit the Certificate request properties. On the Subject tab, you have to set at least a Common name (the value usually is the FQDN of your server)
- After you have enrolled the certificate, can export the certificate from the "Personal" certificates. Use the option "Yes, export the private key". Enter a temporary passphrase.
- Copy the generated .pfx file to your Mindbreeze server.
Removing the passphrase with openssl
The generated .pfx file has a passphrase set, but Mindbreeze requires a certificate without passphrase. Therefore, with openssl the .pfx file needs to be converted to a .p12 file without passphrase:
- Open a command prompt on your Mindbreeze server (where the Fabasoft Mindbreeze Integration is installed).
- Change to the directory C:\Program Files\Fabasoft\Components\MindbreezeIntegration (where openssl is located by default)
- Run the following commands:
openssl pkcs12 -in <filename>.pfx -nodes -out <filename>.pem (enter the passphrase you defined at creation time)
openssl pkcs12 -export -in <filename>.pem -out <filename>.p12 (do not set a passphrase during the export) - The exported certificate .p12 can be inported in the Mindbreeze Management under the Certificates tab, and assigned to a Client Service.
Please note: In the MindbreezeIntegration directory also the self-signed certificates are located. Please check to use the correct certificates created by your openssl calls.
Applies to
- Mindbreeze Enterprise Client Service (all versions)