KB: Creating a new SSL Certificate for the Web Interface
To configure RangerMSP with SSL you need to be using Microsoft IIS as the back end Web server for the Web interface.
Then - install and configure your SSL certificates in Microsoft IIS.
RangerMSP version 9, and above, are required in order to use Microsoft IIS with RangerMSP Web interface.
>>> Continue here: Using Microsoft IIS as the Web Server for the Web Interface
THE FOLLOWING ARE THE OLD INSTRUCTIONS RELATED TO RangerMSP version 8 (or below). THIS OLD METHOD MIGHT BE EXPOSED TO VULNERABILITIES DISCOVERED IN THE SSL3 PROTOCOL AND SHOULD NOT BE USED ANYMORE. Instead - Use RangerMSP version 9, or above, together with Microsoft IIS as its back end Web server.
Introduction
When using SSL with the RangerMSP Web Interface, you need to provide the Web Interface with a predefined SSL Certificate, which the server needs in order to encrypt the Web Interface traffic. Businesses which already have SSL Certificates created for their company by a Certificate Authority, and these businesses do not need to go through the hassle of issuing a new certificate, they can simply import the existing certificate on hand, by using these instructions.
However, if you have never issued an SSL certificate, then this article will walk you through the process of creating your first SSL Data Encryption Certificate.
How to create your SSL certificate
Contributed by: Luke Popejoy
Note that in the instructions, anything in [] should be replaced with your own variables.
To get an SSL Cert on RangerMSP Web Interface:
Download OpenSSL
1) Download openssl.exe from here. Save it in a folder on your desktop.
Create OpenSSL Config
2) Create a custom config file for openssl and save it in the save directory openssl.exe is in. Instructions on doing that displayed in step 4. Maybe there's an easier way but that is the only way I could figure out.
Create CSR Request
3) Open a command prompt and "cd" to the directory openssl is in. Run this command:
openssl req -new -newkey rsa:2048 -nodes -out FQDN.csr -keyout Key.key -subj "/C=[COUNTRY ABREVIATION HERE]/ST=[2 DIGIT STATE
ABBRIATION HERE]/L=[CITY HERE]/O=[ORGANIZATION NAME HERE]/CN=[FULLY QUALIFIED DOMAIN NAME HERE]" -config "opensslconf.cnf"
Where opensslconf.cnf is the path to the config file you created in step 2. This will create the csr request to give to your Certificate Authority. Take note of the file that is created called Key.key. You are going to need this.
Submit CSR Request to CA
4) Submit the CSR to your Certificate Authority and then you should get the certificate back. Mine came in a *.crt format. This will have to be converted.
Convert Certificate to .PEM
5) Convert the certificate from a *.crt format to a *.pem format that RangerMSP needs. Run this command:
openssl x509 -in [PATH TO CERT FROM CA].crt -out input.der -outform DER
And this command:
openssl x509 -in input.der -inform DER -out Cert.pem -outform PEM
Export Root SSL Certificate
6) You now have the Key.pem (created in step 3) and the Cert.pem (created in step 5). Last we need the Root.pem. To get that, go to Internet Explorer -> Tools -> Internet Options -> Content -> Certificates -> Trusted Root Certifcation Authorities Tab. Find the CA in the list from whom you purchased your Cert. In my case, it was Godaddy. Click on their name, and Click Export. Export as a Base-64 encoded X.509. Save the file with your other PEM files. Now go rename that file to Root.pem.
Import files into RangerMSP
7) Save Root.pem, Key.pem, Cert.pem in your RangerMSPdir\Webinterface folder. Go to CRMWebInterface.ini, and change the SSL Port to whatever you want and Set SSL Required to Y.
Restart RangerMSP to Finalize This Process
8) Restart the RangerMSP web interface service on your server and you should have SSL. You will need to connect to:
https:\\[fqdn]:[ssl port]
Done!!! All that's left to do is to test the SSL connection by using a web browser. If you have questions after reading this article, please contact RangerMSP Support.
How to convert .PFX to .PEM
If you have a .pfx file, for example the type you get when exporting a private key from IIS, you can convert it to .pem format using openssl like so:
To extract the private key from a pfx file and write it to pem file:
openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out privateKey.pem
To extract the certificate file (the signed public key) from the pfx file:
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out publicCert.pem
To remove the password from the private key file:
openssl.exe rsa -in privateKey.pem -out private.pem
You will need to do this to avoid being asked for the password on every access.
Credit to Cycure: Tips : Using openssl to extract private key ( .pem file) from .pfx (Personal Information Exchange)