One fine day our SSL certificate was expired and we need to update our Windchill solution with new one. A quick Google search shows that not much information available outside the Winchill own forums. Therefore I am writing down my steps to deploy new SSL certificate for Windchill. Our Windchill solution version is 10.2 and running on Windows 2008 Server R2 VM. So all my steps are in that OS context.
The whole procedure is two step solution, first we need to extract CRT and KEY files from PFX file and second is to set up HTTPD.
- Open Command Prompt
- CWD to <Windchill Dir>\HTTPServer\bin
- EXEC openssl pkcs12 -in [yourfile.pfx] -nocerts -out [keyfile-encrypted.key]
- System prompts for password and pass phrase for the certificate. Enter the same as password that is with PFX file.
- EXEC openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [certificate.crt]
- Now you will find both CRT and KEY files in the target folder. For windchill, we need to give unencrypted key file.
- EXEC openssl rsa -in <filename1>.key -out <filename2>.key
- Change both CRT and KEY file names as “server.crt” and “server.key” respectively
- Now stop the Windchill and close the HTTPD
- Move the CRT file into <Windchill Dir>\HTTPServer\conf\extra\ssl.crt\
- Move the KEY file into <Windchill Dir>\HTTPServer\conf\extra\ssl.key\
- CWD to <Windchill Dir>\Java\bin
- EXEC keytool -import -alias Windchill -file <Windchill Dir>\HTTPServer\conf\extra\ssl.crt\server.crt -storetype jks -keystore <Windchill Dir>\Java\jre\lib\security\cacerts
- System prompts for password, type your key store password.
- If system prompts as “alias already exists“, then choose a new alias for the certificate
- System prompt for Trust this certificate, type “yes“
- Now, open file “<Windchill Dir>\HTTPServer\config.xml” and look for “<property name=”certAlias”” set the value as the same alias that given in previous step.