Terminal Service Plus

Hi, I am a bit frustrated with SSL certificate setup, spending several time only to be unable to to connect to Tsplus web server via SSL.

Documentation on how to request and install a SSL certificate should be more clear, expecially when using Tsplus web server.

Page http://www.terminalserviceplus.com/docs ... ertificate states that you need a temporary istance of IIS to create a CSR. At the end you need to import received certificate(s) so, at the bottom of that page a link send you to http://www.terminalserviceplus.com/docs ... te-manager, where that page explains how to use the Let's Encrypt infrastructure, that is a completely different SSL certificate setup.

Alternatively, the video tutorial at http://www.terminalserviceplus.com/video-tutorials.php under the label 'Security' suggest to use Portecle to create keypair, CSR and install the received SSL certificate.
The video suggest that, to generate the CSR, you should use the 'Export' function, that the private key and certificate are exported to CSR which is a text file, but sadly, using that function the resulting file is binary.
I instead used successfully the 'Generate Certification Request' right clicking over the keypair to generate the CSR, and the resulting file is really a text file.
Using that file, I received from certification authority the X.509 certificate containing all the certificates of the chain embedded in it.
Exported the intermediate and root certificates in X.509 format, imported all them in the store using Portecle's 'Import Trusted Certificate', saved the key store and restarted the Tsplus web server.

After doing this, I however cannot connect via https; Portecle's 'Examine SSL/TLS Connection' fail saying "javax.net.ssl.SSSPeerUnverifiedException: peer not authenticated"
So my questions are:

1) Can you outline the possible ways and steps to create keypair, CSR and installation of the received certificates, stating also where they should be installed, for the means of using native Tsplus webserver ?

2) Can you state if Portecle is sufficient to complete the SSL certificate setup workflow, if I must use only the cert.jks with the password 'secret' or there are other ways to configure the native Tsplus web server ?

3) Lastly, can you make the documentation more clear ?

Thank you.

Carlo

Hello,

http://support.tsplus.net/kb/faq.php?id=52
There you will find four different ways (A, B, C or D) how to convert and import already signed certificate from different formats (according to your actual situation)
So if you bought your certificate then one of these FAQs should definetively help you.

As password AdminTool GUI assumes "secret" for both, for private key and for key storage too, you may however edit webserver\runwebserver.bat in order to use own password (and set Read-only attribute to stop Tsplus to overwrite this file), but try firstly to get it working with default password "secret" before you continue with password experiments.

Thank you for the prompt response juwagn, but I am unluky.
Let me to recap what I have done:

- I operated only from Portecle
- Opened the cert.jks using 'secret' as password;
- Removed jwts item
- Clicked on Tools > 'Generate Key Pair', OK, filled all the fiels, OK,aaa, entered the Alias, for the password I don't used 'secret' but another password;
- Right clicked over the keypair and requested 'Generate Certification Request', saved it to a file .csr;
- Used the .csr file to request a (free) certificate from CA (GeoTrust): They send me only a .cer certificate (Pem Base64) whith all the embedded certificates (3 with mine);
- As suggested in Trouble shooting page, double-clicked over the received .cer and exported all three certificated in separate DER encoded binary X.509 cer files;
- Used the Portecle's 'Import Trusted Certificate' and imported all the previous exported cer files, starting from Root CA;
- Changed the keypair password to 'secret', otherwise in next step I get an "java.security.UnrecoverableException: Cannot recover key"
- Followed http://support.tsplus.net/kb/faq.php?id=52, A: Converting SSL certificate from *.pfx format to cert.jks, starting from step 3;
- Connecting to the site, Internet Explorer shows a Certificate Error, the certification path shows only my leaf certificate;

What have I done wrong?

Used the Portecle's 'Import Trusted Certificate' and imported all the previous exported cer files, starting from Root CA;

1. Could you please import all certificates into windows keystore, just export your private key to p12 format(PKCS#12) from cert.jks in Portecle and then install this p12 file, or skip this step if you originally got your key in windows acceptable format (as example pfx) but just install it in windows keystore.
(probably you may need to export not only private key but all intermedate certificates too, so if you got it in cert.jks then export these too in *.cer format)
2. then after installing your private key in step 1(i assume you marked this key as exportable while importing) start certmgr.msc and under "Personal" check your key under Certification Path if this key is accepted by windows as signed > "The certificate is OK"
3. if cert was OK, then export it with private key but mark "Include all certificates in the certification path if possible" and "Export all extended properties"
Afterwards continue with A: Converting SSL certificate from *.pfx format to cert.jks
http://support.tsplus.net/kb/faq.php?id=52

If by step 2 Windows displays that your keys is not trusted, then open new ticket here
http://support.tsplus.net/open.php?&lang=en_us
and tell your TeamViewer ID so we can go through this process together to see what is wrong.

With the promptly TsPlus help I resolved my issue.

My problem stemmed from the fact that after receiving the SSL certificate from Certification Authority, I imported all the certificates using Portecle's 'Tools > Import Trusted Certificate'.
For last certificate (the certificate issued to you), you MUST right click over your keypair and use the 'Import CA Reply' function to import your certificate!

Cheers.

Hello,

you MUST right click over your keypair and use the 'Import CA Reply' function to import your certificate!

Exactly, missed only this one small step therefore I have extended the FAQ
http://support.tsplus.net/kb/faq.php?id=52
E: How to import CA reply in cert.jks
It describes few pitfalls what could go wrong when importing CA reply. So you get all useful information from one place and common for all authorities.

I think that is more comfortable than trying to get over with documentation
http://www.terminalserviceplus.com/docs ... s-tutorial

Following what you added in E: How to import CA reply in cert.jks, I get the "java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded" in step 3 of A: Converting SSL certificate from *.pfx format to cert.jks .
This happen if the private key have a password different from secret. If the password is secret and I do the steps described in
E: followed by those in A:, all goes without a glitch.
Strange.