Custom SSL Certificate

IMPORTANT:

To try and make the filenames below a little easier to work with, they were changed in version 8.5. If you are using version 8.4 or older, click the Show Older Names button below to show the filenames that apply to your software version.

Show Newer Names Show Older Names

Documentation currently showing: Showing v8.4 and older filenames

File Type	New Name	Old Name
Private Key	SSL_PRIVATE_KEY.pem	CLIENT_PRIVATE.pem
SSL Certificate	SSL_CERT.pem	SIGNED_CLIENT_CERT.pem

Starting with version 9.4, you can optionally rename the two files above to something else to fit your process better. Set the new file names in the registry at:
HKEY_LOCAL_MACHINE\software\PAStorageMonitor
values SSL_CERT_NAME and SSL_PRIVATE_KEY_NAME

Those registry entries will need to be created, and they should only be set to the new filename, not the full path. For example:
SSL_CERT_NAME = myCert.pem
SSL_PRIVATE_KEY_NAME = myCert.key

To revert back to the old filenames, just delete those two registry entries. Any time these registry entries are changed, the monitoring service needs to be restarted.

PA Storage Monitor can use your own SSL certificate instead of the default self-signed certificate.

If at any time there are any problems with certificates, you can run the C:\Program Files\PA Storage Monitor\CA\000_RESET_CERTIFICATES.cmd file (run as an administrator), and then restart the service. New certificates will be created. If things are really messed up, you can delete the C:\Program Files\PA Storage Monitor\CA folder completely and restart the service to create a new CA folder.

Note that although the commands are shown on multiple lines, this is simply because there isn't space to show the full command one on line. But the text in the command boxes below should be run as a single command.

Sections of this document:

Use your own existing certificate
Create your own new certificate
Use ACME (Let's Encrypt, etc)

Use your own existing certificate

You will need to get your certificate into PEM format if it isn't already. There are a number of utilities that can do this that you can find on the Internet. Try searching for something like 'convert {your cert type} to PEM'. Note that .pem, .crt, .cer, and .key are often used interchangably. If you look at the file with a text editor and see readable text, you have a .pem file.

For example, to convert a .PFX file using OpenSSL (which is in the C:\Program Files\PA Storage Monitor folder) run the following:

Tell OpenSSL where to find its configuration file (do NOT use quotes, even if there are spaces in the path):

set OPENSSL_CONF=C:\Program Files\PA Storage Monitor\CA\openssl.cnf

The conversion command:

"C:\Program Files\PA Storage Monitor\openssl.exe" pkcs12 -in "C:\My Files\myCert.pfx" -passin pass:current-pfx-password -out "C:\My Files\myNewCert.pem" -passout pass:new-pem-password

current-pfx-password above is the current private key password for the .pfx file, and new-pem-password is the private key password for the output pem file.

Look at the resulting .pem file in a text editor -- you'll see there are two sections. Split this into two separate files, like below:
CLIENT_PRIVATE.pem file contents:

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIFDjBABgkfhkiG9w0BBQgwMzAbBgkqh1iG9w0BBQwwDgQIvSKYYbDSkPICAggA
... many more lines like those above ...
4pvqu3DGh93oIV7YlC1Gn4BY/2jVd2F1NxRjIxvDsllhDvvFFMUWC41Xc5pZ6d9U
pyY=
-----END ENCRYPTED PRIVATE KEY-----

SIGNED_CLIENT_CERT.pem file contents:

-----BEGIN CERTIFICATE-----
MIIFPzCCBCFgAwIBAgIS3SGXUxVkgYN9r5PZvhFNF148MA0GCSqGSIb3DQ5BBQUA
... many more lines like those above ...
ITywFF+LW4hdG5TYw2smJmbBgkfbW7nusufXAzg7I0E5z2HyxRmLm+Eees4J00mo
f6jn
-----END CERTIFICATE-----

You don't need the other lines that are in the file.

IMPORTANT: if your .pem file does not have a PRIVATE KEY section, then you must already have the private key in another file somewhere else - you must find that file and get it into pem format. The private key is created when the CSR (Certificate Signing Request) was initially sent to the certificate vendor (Verisign, GlobalSign, etc). It CANNOT be generated later - the private key and the certificate are a matched set.
If you want to include a full certificate chain in SIGNED_CLIENT_CERT.pem, make sure that:
- The certifcates are listed in the order of Application Certificate, Intermediate Certificate(s), Root Certificate (possibly the reverse of what is in the original .pem file)
- There needs to be a blank line between each --END CERTIFICATE-- and --BEGIN CERTIFICATE-- section
Thank you Martin for these tips :)
Save the certificate's private key file to
C:\Program Files\PA Storage Monitor\CA\CLIENT_PRIVATE.pem
Save the SSL certificate to
C:\Program Files\PA Storage Monitor\CA\SIGNED_CLIENT_CERT.pem
PA Storage Monitor will need to know the password for the private key. You can specify this by running the following command:

"C:\Program Files\PA Storage Monitor\diag.exe" /SETCONFIG=SSLCertPKPW:your-certificate-password

The above command will encrypt and store the password with a machine-specific key in the registry.

If you ever need to erase the password (such as if you delete the CA folder and go back to the self-signed certificate), run:

"C:\Program Files\PA Storage Monitor\diag.exe" /SETCONFIG=SSLCertPKPW:
Restart the PA Storage Monitor service and it will now be using your SSL certificate.

Create your own new certificate

Go to the C:\Program Files\PA Storage Monitor\CA folder
Create a folder inside CA named NewCert.
Copy Client.cnf from CA into NewCert
Open NewCert\Client.cnf in a text editor. Go to the PACA_dn section near the bottom and edit the values as you like (C=Country, ST=State/Province, L=City).

If you want to change the private key file's password, change the entries on the lines for input_password and output_password.

Change the CN value to the hostname of your server. Some SSL certificate providers expect to see a dot in the name, so the public name of your server would best (something like monitor.mydomain.com).

Note that depending on the SSL provider that you use, the subjectAltName field might be ignored which is where additional machine names are mentioned.
Open a command prompt and change directory to
C:\Program Files\PA Storage Monitor\CA\NewCert
Run the following to tell OpenSSL where to find your configuration file (do NOT use quotes, even if there are spaces in the path):
set OPENSSL_CONF=C:\Program Files\PA Storage Monitor\CA\NewCert\client.cnf

Then run the following to actually create the Certificate Signing Request file (also known as a CSR file). DO use quotes if there are spaces in the path: (note the below is all on one line)
"C:\Program Files\PA Storage Monitor\openssl.exe" req -newkey rsa:2048 -keyout "C:\Program Files\PA Storage Monitor\CA\NewCert\CLIENT_PRIVATE.pem" -keyform PEM -out "C:\Program Files\PA Storage Monitor\CA\NewCert\SSL_CERT_CSR.csr" -outform PEM -rand "C:\Program Files\PA Storage Monitor\openssl.exe"
This will create two new files:
SSL_CERT_CSR.csr -- this is the Certificate Signing Request file that you will send/copy to the SSL certificate vendor (like Verisign, GlobalSign, etc)
CLIENT_PRIVATE.pem -- this is the private key file for this certificate. This file will need to remain on the server, but should be kept private.
To see what you are sending to the SSL provider, run:
"C:\Program Files\PA Storage Monitor\openssl.exe" req -in "C:\Program Files\PA Storage Monitor\CA\NewCert\SSL_CERT_CSR.csr" -noout -text
After sending SSL_CERT_CSR.csr to a certificate provider, you will get back a certificate file. Save the file (in PEM format) to:
C:\Program Files\PA Storage Monitor\CA\SIGNED_CLIENT_CERT.pem

If you want to include a full certificate chain in SIGNED_CLIENT_CERT.pem, make sure that:

The certifcates are listed in the order of Application Certificate, Intermediate Certificate(s), Root Certificate
There needs to be a blank line between each --END CERTIFICATE-- and --BEGIN CERTIFICATE-- section

Thank you Martin for these tips :)

When the above file is copied, also copy
C:\Program Files\PA Storage Monitor\CA\NewCert\CLIENT_PRIVATE.pem
into the CA folder.
PA Storage Monitor will need to know the password for the private key. This password can be found in the client.cnf file on the line with input_password. You can give PA Storage Monitor the password by running the following command:

"C:\Program Files\PA Storage Monitor\diag.exe" /SETCONFIG=SSLCertPKPW:private-key-pass-phrase

The above command will encrypt and store the password with a machine-specific key in the registry.
You can optionally delete the NewCert folder at this point.
Restart the PA Storage Monitor service and it will now be using your SSL certificate.

Use ACME (Let's Encrypt, etc)

Using ACME (Automatic Certificate Management Environment) is a great way to get real (not self-signed) certificates that can be automatically renewed and managed without needing manual steps. This is increasingly important as certificate expiration times keep getting shorter.

The win-acme client is an easy to use method of automating certificate management. The steps to use are outside of the scope of this document (see the win-acme website - it's well documented), but there are a few key steps for easy integration with PA Storage Monitor. You may need to create the certificate with "full options" to get to some of these options.

When asked about where to store the certificate it's important to choose PEM encoded files.

Choose to save the certificates in the PA Storage Monitor CA folder:
C:\Program Files\PA Storage Monitor\CA

Make sure to give the private key a password. You'll need it in a step below.

For this example, let's assume you created a certificate for www.myserver.com. You will end up with these files in the CA folder:

To tell PA Storage Monitor the name of the certificate and private key filename, use RegEdit to change the SSL_CERT_NAME and SSL_PRIVATE_KEY_NAME values under HKEY_LOCAL_MACHINE\software\PAStorageMonitor. Use the 'chain' and the private key filenames respectively.