INSTALLATION & CONFIGURATION ISSUES
      Back to home
      1. Knowledge Base
      2. TROUBLESHOOTING
      3. INSTALLATION & CONFIGURATION ISSUES

      How to import a trusted certificate for secure communication to Safetica server

      Learn how to allow a trusted certificate for the OpenSSL communication on Safetica server.

      Introduction

      By default, Safetica uses a self-signed certificate for communication between the Safetica server, Safetica Maintenance Console, and devices (Safetica Clients). While this setup is functional, it requires customers to implicitly trust the Safetica-signed certificate.

      To enhance the security of the communication and only establish verified SSL connections, we also allow customers to import and use their own trusted certificate.

      To secure the communication between the web browser and the new Safetica console, read this article.

      In this article, you will learn more about:

       

      Limitations

      🍏macOS: for now, the option to import a trusted certificate is not available on macOS.

       

       

      How to import and configure a trusted certificate

      ✍️Your certificate must be valid and signed by a recognized Certification Authority (CA).

      There are 2 steps:

      Step 1. Obtain a trusted certificate and import it into Windows certificate store

      Step 2. Configure the certificate in Safetica server registry

       

      Step 1. Obtain and import a trusted certificate

      You must obtain the certificate and ensure it is trusted within your domain:

      1. Generate a certificate including a private key. You can either use a Certification Authority (CA) or create a self-signed certificate.
      2. On Safetica server, import the certificate into the Windows certificate store and place it into the Personal folder.
      3. The import must be done for the computer (not the user).
      4. During import, configure the certificate as exportable.
      5. If you created a self-signed certificate:
        1. Export the certificate's public part (i.e., the certificate without the private key).
        2. On Safetica server and all devices with Safetica Client or Safetica Maintenance Console, import the certificate into the Trusted Root Certification Authorities folder. The import must be done for the computer (not the user).

        You can learn more in Microsoft documentation.

         

        Step 2. Configure the certificate in Safetica server registry

        ❗After changing the registry keys, you must restart Safetica server.

        1. Find the certificate thumbprint:
          1. In Windows certificate store, go to the folder where the certificate is stored (Trusted Root Certification Authorities or Personal).
          2. Double-click the certificate.
          3. In the Details tab, click Thumbprint to display its full value.
          4. Copy the thumbprint value for use in the next step.
        2. Configure the certificate in the registry

        Modify the following registry keys on the Safetica server:

          1. CertificateStore: Specifies the folder where the certificate is stored (MY if you imported the certificate into the Personal folder; or ROOT if you imported it into the Trusted Root Certification Authorities folder).
          2. CustomCertificate: Stores the certificate thumbprint. Copy your obtained thumbprint here.

        You can change the keys via the Safetica Activity Monitor that can be found in Safetica Management Service installation folder on Safetica server:

        1. Click Options > Server configuration.
        2. Modify the keys CertificateStore and CustomCertificate

        Or you can create (or modify) the keys in the Registry editor in HKEY_LOCAL_MACHINE\SOFTWARE\Safetica Technologies\Safetica Management Service

        If your server has a security client that protects its registry, please turn it off before opening Registry Editor and creating or editing any registry keys.

         

         

        Example script for generating a self-signed certificate and importing it to Windows certificate store

        # Change these values
        $address = "AZ-W11-Cert"
        $alternativeName = "10.5.1.38" # optional
        $certificateFriendlyName = "SafeticaCert" # optional
        $osDriveLetter = "C"
        $certificateExpirationInYears = 5

        $alternativeNames = $address, $alternativeName
        $certificateSubject = "CN=$($address)"
        $certificatePath = "$($osDriveLetter):\Windows\Temp\safeticaCert.cer"
        $certStoreLocation = "Cert:\LocalMachine\My"
        $certTRCAStoreLocation = "Cert:\LocalMachine\Root"
        $provider = "Microsoft Enhanced RSA and AES Cryptographic Provider"

        # Create a self-signed SSL server certificate in the computer MY store 
        Write-Host "Creating new self-signed certificate."

        $params = @{
            Subject = $certificateSubject
            CertStoreLocation = $certStoreLocation
            NotAfter = (Get-Date).AddYears($certificateExpirationInYears)
            Provider = $provider
            KeyExportPolicy = "Exportable"
            FriendlyName = $certificateFriendlyName
            DnsName = $alternativeNames
        }
        $certificate = New-SelfSignedCertificate @params


        # Export certificate and import to Trusted Root Certification Authorities store

        Remove-Item -Path $certificatePath -Force -ErrorAction Ignore
        Write-Host "Exporting certificate to '$($certificatePath)'."
        Export-Certificate -Cert "$($certStoreLocation)\$($certificate.Thumbprint)" -FilePath $certificatePath
        Write-Host "Importing certificate to Trusted Root Certification Authorities."
        Import-Certificate -CertStoreLocation $certTRCAStoreLocation -FilePath $certificatePath
        Remove-Item -Path $certificatePath -Force -ErrorAction Ignore