Sitemap

Installing a 3rd Party Certificate

Discover how Pleasant Password Server will enhance KeePass for business

For general purpose use, we recommend purchasing a certificate, especially when accessing Pleasant Password Server by external users via a domain name (FQDN).

Self-signed certificates can provide adequate security on small intranets, in test environments, or in situations with limited users and controlled environments. 

Export or Download the certificate from your certificate vendor in *.pfx (or *.p12) format, which contains both the private key and the public key. The private key is essential as it is used by the server to create the secure connections.

Know your domain name

To ensure that the certificate works with the domain name you will be using, the Common Name of the certificate must match the entire domain name or contain a wildcard (if you are going to use a subdomain).

For instance, if you want to use passwords.yourdomain.com:10001 as your URL, then your certificate should be purchased as either passwords.yourdomain.com or *.yourdomain.com. A wildcard certificate (*) can be used on any subdomain.

Browsers validate that the domain name in the address bar matches the name on the certificate.

This means that accessing the Pleasant Password Server website from any other addresses (such as https://localhost:10001), which are not included in the certificate in:

  • the Subject name, or
  • Subject Alternative Names (SAN) fields, etc.,

 will cause the web browser to display a certificate error. 

Installing your certificate

For Password Server versions 4.1.1 or earlier, refer to the Legacy instructions (in the section below this one).

To change the certificate that Password Server uses, run the Pleasant Service Configuration Utility that was packaged and installed with the server.  Alternatively, use PowerShell commands to change certificates.

 

By default, the Service Config utility is accessed via the Start menu:

  • Programs -> Pleasant Password Server -> Service Configuration

To use your own certificate, follow these steps:

  1. Start the Service Configuration Utility.
  2. Click Certificate Configuration.
  3. Click Import Certificate.
  4. Browse for and select the certificate file (must be a *.pfx or *.p12 certificate file, which includes the private key).
  5. Enter the password for your certificate.
  6. Restart the Password Server service (click here for re-start instructions).
    • If the service should fail to start: correct the certificate (use the correct extension) and re-import.
  7. Point your browser at the server.

At any point, the certificate used can be reverted back to the default placeholder certificate by clicking the Clear button within the Certificate Configuration section of the Service Configuration Utility.

This setting will persist through future updates of Pleasant Password Server.

For legacy versions of Pleasant Password Server (versions 4.1.1 and earlier) 

Installing the certificate 
  1. Open the Microsoft Management Console (MMC).
    • Type mmc.exe in the Start menu search box or open a Run... dialog, type mmc.exe and click OK.
  2. Click File -> Add/Remove Snap-in...
  3. Add the Certificates snap-in.
    • [Vista/7] Click Certificates from the left pane and click Add.
    • [XP] Click Add... then select Certificates and click Add.
  4. Select Computer Account and click Next.
  5. Select Local Computer and click Finish.
  6. Exit the open dialog(s).

There should be a list of folders on the left. The top folder should be Personal followed by Trusted Root Certification Authorities. These folders represent the various certificate stores for the local computer.

  1. Right-click Personal.
  2. Select All Tasks -> Import...
  3. Click Next on the Certificate Import Wizard welcome page.
  4. Click Browse to locate your certificate file.
  5. Change the file type to Personal Information Exchange (*.pfx, *.p12) to ensure you import the correct file type.
  6. Browse for and select your downloaded certificate.
  7. Make sure you enter the correct password (if any) for your certificate.
  8. Make sure that the certificate is being imported to the Personal certificate store.
Configuring the Server
  1. Stop the Pleasant Password Server service.
    • Open the Services control panel.
    • Find Pleasant Password Server.
    • Right-click and select Stop.
  2. Open and modify the configuration file.
    • By default, it will be in C:\Program Files (x86)\Pleasant Solutions\Pleasant Password Server\PassMan.WindowsService.exe.config
      • NOTE: To edit and save the file, you may need to run your text editor (such as Notepad) with administrative privileges; right-click the program file and choose Run as adminstrator.
  3. Search for the serviceCertificate section.

    • Change findValue to the name of your certificate (eg: passwords.yourdomain.com).
    • Change the storeName value to "My".
<serviceCertificate
    findValue="passwords.mydomain.com"
    x509FindType="FindBySubjectName"
    storeLocation="LocalMachine"
    storeName="My" />
  1. Save and close the config file
  2. Restart the Pleasant Password Service
    • Return to the Services control panel
    • Locate and right-click on Pleasant Password Server
    • Select Start