Creating self-signed certificates for PCS

[Eve]

1) For PCS, if certificates have to be issued by a certifying authority, it is best to generate the CSR request using OpenSSL. It is not a recommendation, it is the only way to do it.

That would be an insane deficiency for every other TLS/SSL library if that was the case.

But I'm glad you've got it working.

[Modesto Vega]

1) For PCS, if certificates have to be issued by a certifying authority, it is best to generate the CSR request using OpenSSL. It is not a recommendation, it is the only way to do it.

That would be an insane deficiency for every other TLS/SSL library if that was the case.

But I'm glad you've got it working.

I agree, it is insane that the only practical way (please notice the emphasis) to get PCS configured to use https is by using OpenSSL to generate the requests or to generate self-signed certificates. This is why Sparx Systems needs to either improve the documentation or their product offering.

P.S.: There could be other ways to get PCS configured over https but since they are undocumented, it is essentially a painful trial and error process.

[timoc]

[SYSTEM]:  Thread 7  SUCCESS Bound and listening on soap port 443 (https)
[SYSTEM]:  Thread 6  SUCCESS Bound and listening on soap port 805 (https)

There is no problem with your server certificate as far as PCS is concerned. That effectively means every attempt at help to this point has been going  in the wrong direction.

I am seeing is this (with PCS 5.x Beta)

2021-11-05 16:26:45 [DEBUG]:   Thread 5  Created secure server on soap port 1805 (https)
2021-11-05 16:26:45 [DEBUG]:   Thread 5  ATTEMPT Bind and listen on soap port 1805
2021-11-05 16:26:45 [DEBUG]:   Thread 5  WARNING Failed to bind and listen on soap port 1805
2021-11-05 16:26:45 [SYSTEM]:  Thread 5  No longer listening on soap port 1805.

So, just to be clear - if you do not get a SUCCESS message for bind, then there is a problem with the certificate provided in the server.pem?

If so, That is not at all obvious from the trace level log information, or documentation. If not, then how do i diagnose this problem?

[Eve]

No. It could fail for any number of reasons.

I'd try changing the config so that port isn't secure. If it still fails it's nothing to do with the certificate.

The next thing that comes to mind is anything else listening on port 1805 on your system?

[timoc]

No. It could fail for any number of reasons.

I'd try changing the config so that port isn't secure. If it still fails it's nothing to do with the certificate.

The next thing that comes to mind is anything else listening on port 1805 on your system?

PCS4 logs an error when it tries to bind to an allocated port, i expect PCS5 to do the same.
Turns out it is not ssl related. Created a new thread for the specifics.

[ddrakos]

Hi,

I think that lego commad line client could help you to automate certificate issuing.

https://docs.gsd.pl/ssl/letsencrypt/

Another option could be https://certifytheweb.com/

I have been using these tools with PCS, WebEA (Apache) and Prolaborate (IIS) for about 4 years.

Regards
Drakos

[jbubik]

For possible future reference to anyone interested - seems the private key in server.pem should be in a PEM-encoded PKCS#8 container. You can distinguish it by this pattern:
-----BEGIN PRIVATE KEY-----
<base64 encoded data>
-----END PRIVATE KEY-----

A private RSA key in PEM-encoded PKCS#1 container did not work for me. Such container is usually represented as:
-----BEGIN RSA PRIVATE KEY-----
<base64 encoded data>
-----END RSA PRIVATE KEY-----

The error message in logfile was:
[WARNING]: Thread 6  Unable to create secure server on soap port 1805 (https).

People struggling with openssl could probably use powershell command New-SelfSignedCertificate. It doesn't write a PEM-encoded file directly, but with a little scripting you get the result. Not really tested, this is just a suggestion from AI:
# Create the self-signed certificate
$cert = New-SelfSignedCertificate -DnsName "yourdomain.com" -CertStoreLocation "Cert:\LocalMachine\My" -KeyAlgorithm RSA -KeyLength 2048 -NotAfter (Get-Date).AddYears(1)

# Export the certificate (public part) in PEM format
$certPem = Export-Certificate -Cert $cert -Type PEM

# Export the unencrypted private key in PEM format
$privateKey = $cert.PSBase.PrivateKey
$privateKeyPem = $privateKey.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Pkcs8)

# Create the PEM file with both the certificate and private key
$serverPemPath = "C:\path\to\server.pem"

# Write both the certificate and the private key to the same file
[System.IO.File]::WriteAllText($serverPemPath, "-----BEGIN CERTIFICATE-----`r`n" +
                                      [System.Convert]::ToBase64String($certPem) + "`r`n" +
                                      "-----END CERTIFICATE-----`r`n" +
                                      "-----BEGIN PRIVATE KEY-----`r`n" +
                                      [System.Convert]::ToBase64String($privateKeyPem) + "`r`n" +
                                      "-----END PRIVATE KEY-----")

Write-Host "Certificate and private key saved to $serverPemPath."

# Remove the certificate from the store
$certThumbprint = $cert.Thumbprint
$certStore = Get-Item "Cert:\LocalMachine\My"
$certToRemove = $certStore | Where-Object { $_.Thumbprint -eq $certThumbprint }
Remove-Item -Path $certToRemove.PSPath

Write-Host "Certificate and private key removed from the certificate store."


What we ended-up was win-acme to get a Letsencrypt.org certificate. An integration script that installs the new cert into PCS will be in win-acme's Scripts folder soon (Pull Request pending on Github). Hope this helps someone someday :-)