Show Posts
1
PCS General Board / Re: Creating self-signed certificates for PCS
« on: February 27, 2025, 10:45:19 pm »
For possible future reference to anyone interested - seems the private key in server.pem should be in a PEM-encoded PKCS#8 container. You can distinguish it by this pattern:
-----BEGIN PRIVATE KEY-----
<base64 encoded data>
-----END PRIVATE KEY-----
A private RSA key in PEM-encoded PKCS#1 container did not work for me. Such container is usually represented as:
-----BEGIN RSA PRIVATE KEY-----
<base64 encoded data>
-----END RSA PRIVATE KEY-----
The error message in logfile was:
[WARNING]: Thread 6 Unable to create secure server on soap port 1805 (https).
People struggling with openssl could probably use powershell command New-SelfSignedCertificate. It doesn't write a PEM-encoded file directly, but with a little scripting you get the result. Not really tested, this is just a suggestion from AI:
# Create the self-signed certificate
$cert = New-SelfSignedCertificate -DnsName "yourdomain.com" -CertStoreLocation "Cert:\LocalMachine\My" -KeyAlgorithm RSA -KeyLength 2048 -NotAfter (Get-Date).AddYears(1)
# Export the certificate (public part) in PEM format
$certPem = Export-Certificate -Cert $cert -Type PEM
# Export the unencrypted private key in PEM format
$privateKey = $cert.PSBase.PrivateKey
$privateKeyPem = $privateKey.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs8)
# Create the PEM file with both the certificate and private key
$serverPemPath = "C:\path\to\server.pem"
# Write both the certificate and the private key to the same file
[System.IO.File]::WriteAllText($serverPemPath, "-----BEGIN CERTIFICATE-----`r`n" +
[System.Convert]::ToBase64String($certPem) + "`r`n" +
"-----END CERTIFICATE-----`r`n" +
"-----BEGIN PRIVATE KEY-----`r`n" +
[System.Convert]::ToBase64String($privateKeyPem) + "`r`n" +
"-----END PRIVATE KEY-----")
Write-Host "Certificate and private key saved to $serverPemPath."
# Remove the certificate from the store
$certThumbprint = $cert.Thumbprint
$certStore = Get-Item "Cert:\LocalMachine\My"
$certToRemove = $certStore | Where-Object { $_.Thumbprint -eq $certThumbprint }
Remove-Item -Path $certToRemove.PSPath
Write-Host "Certificate and private key removed from the certificate store."
What we ended-up was win-acme to get a Letsencrypt.org certificate. An integration script that installs the new cert into PCS will be in win-acme's Scripts folder soon (Pull Request pending on Github). Hope this helps someone someday :-)
-----BEGIN PRIVATE KEY-----
<base64 encoded data>
-----END PRIVATE KEY-----
A private RSA key in PEM-encoded PKCS#1 container did not work for me. Such container is usually represented as:
-----BEGIN RSA PRIVATE KEY-----
<base64 encoded data>
-----END RSA PRIVATE KEY-----
The error message in logfile was:
[WARNING]: Thread 6 Unable to create secure server on soap port 1805 (https).
People struggling with openssl could probably use powershell command New-SelfSignedCertificate. It doesn't write a PEM-encoded file directly, but with a little scripting you get the result. Not really tested, this is just a suggestion from AI:
# Create the self-signed certificate
$cert = New-SelfSignedCertificate -DnsName "yourdomain.com" -CertStoreLocation "Cert:\LocalMachine\My" -KeyAlgorithm RSA -KeyLength 2048 -NotAfter (Get-Date).AddYears(1)
# Export the certificate (public part) in PEM format
$certPem = Export-Certificate -Cert $cert -Type PEM
# Export the unencrypted private key in PEM format
$privateKey = $cert.PSBase.PrivateKey
$privateKeyPem = $privateKey.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs8)
# Create the PEM file with both the certificate and private key
$serverPemPath = "C:\path\to\server.pem"
# Write both the certificate and the private key to the same file
[System.IO.File]::WriteAllText($serverPemPath, "-----BEGIN CERTIFICATE-----`r`n" +
[System.Convert]::ToBase64String($certPem) + "`r`n" +
"-----END CERTIFICATE-----`r`n" +
"-----BEGIN PRIVATE KEY-----`r`n" +
[System.Convert]::ToBase64String($privateKeyPem) + "`r`n" +
"-----END PRIVATE KEY-----")
Write-Host "Certificate and private key saved to $serverPemPath."
# Remove the certificate from the store
$certThumbprint = $cert.Thumbprint
$certStore = Get-Item "Cert:\LocalMachine\My"
$certToRemove = $certStore | Where-Object { $_.Thumbprint -eq $certThumbprint }
Remove-Item -Path $certToRemove.PSPath
Write-Host "Certificate and private key removed from the certificate store."
What we ended-up was win-acme to get a Letsencrypt.org certificate. An integration script that installs the new cert into PCS will be in win-acme's Scripts folder soon (Pull Request pending on Github). Hope this helps someone someday :-)