Category Archives: SSL

Windchill: How to deploy SSL certificate

One fine day our SSL certificate was expired and we need to update our Windchill solution with new one. A quick Google search shows that not much information available outside the Winchill own forums. Therefore I am writing down my steps to deploy new SSL certificate for Windchill. Our Windchill solution version is 10.2 and running on Windows 2008 Server R2 VM. So all my steps are in that OS context.

The whole procedure is two step solution, first we need to extract CRT and KEY files from PFX file and second is to set up HTTPD.

Extract CRT and KEY files from PFX 
  1. Open Command Prompt
  2. CWD to <Windchill Dir>\HTTPServer\bin
  3. EXEC openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
  4. System prompts for password and pass phrase for the certificate. Enter the same as password that is with PFX file.
  5. EXEC openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
  6. Now you will find both CRT and KEY files in the target folder. For windchill, we need to give unencrypted key file.
  7. EXEC openssl rsa -in <filename1>.key -out <filename2>.key
Setting up the HTTPD
  1. Change both CRT and KEY file names as “server.crt” and “server.key” respectively
  2. Now stop the Windchill and close the HTTPD
  3. Move the CRT file into <Windchill Dir>\HTTPServer\conf\extra\ssl.crt\
  4. Move the KEY file into <Windchill Dir>\HTTPServer\conf\extra\ssl.key\
  5. CWD to <Windchill Dir>\Java\bin
  6. EXEC keytool -import -alias Windchill -file <Windchill Dir>\HTTPServer\conf\extra\ssl.crt\server.crt -storetype jks -keystore <Windchill Dir>\Java\jre\lib\security\cacerts
  7. System prompts for password, type your key store password.
  8. If system prompts as “alias already exists“, then choose a new alias for the certificate
  9. System prompt for Trust this certificate, type “yes
  10. Now, open file “<Windchill Dir>\HTTPServer\config.xml” and look for “<property name=”certAlias”” set the value as the same alias that given in previous step.

Windchill: How to chang between HTTP and HTTPS

In the process of making our Windchill solution more secure, we are turning it over to HTTPS. After deploying the SSL certificate now its time to targeting its web interface to HTTPS. I followed below procedure to achieve that.

  1. From the Windchill administration shell do the following
    1. xconfmanager -s wt.webserver.protocol=https -t codebase/
    2. xconfmanager -s wt.webserver.port=443 -t codebase/ -p
    3. xconfmanager -s wt.server.codebase=$(wt.webserver.protocol)://$( -t codebase/ -p
  2. Start httpd (with SSL for HTTPS else without SSL)