Let’s Encrypt is a service provided by the Internet Security Research Group to provide free SSL certificates to anyone. The goal of the project is get the entire web encrypted. I mentioned the project in Episode 7 of The PeopleSoft Administrator Podcast and thought it would be a great exercise to try it with PeopleSoft.
Let’s Encrypt uses a client on the server to automate the certificate request process. The client will:
- Validate that you own the web server
- Generate a CSR
- Download the certificate
- Apply the certificate to the web server (limited support)
- Automatically renew the certificate
There are a few requirements to use the Let’s Encrypt clients though:
- The web server needs to accessible by the internet. The Let’s Encrypt site will validate that you own the server by checking for a specific file on the web server.
- Not all operating systems are supported, yet.
- Some web server’s have built-in support (IIS, Apache), but others do not (e.g, WebLogic). We can still generate certificates though, the automatic renewal won’t update the webserver though.
Install Let’s Encrypt Client for Windows
We’ll use the letsencrypt-win-simple command line client for Windows. Download the latest release from GitHub and extract the folder to a permanent location.
Generate a new certificate
.letsencrypt.exe --accepttos[code lang=text]
Let’s Encrypt (Simple Windows ACME Client)
ACME Server: https://acme-v01.api.letsencrypt.org/
Config Folder: C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.org
Loading Signer from C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgSign
Loading Registration from C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgRegistration
Scanning IIS 7 Site Bindings for Hosts
No IIS bindings with host names were found. Please add one using IIS Manager. A host name and site path are required to
verify domain ownership.
No targets found.
M: Generate a certificate manually.
A: Get certificates for all hosts
Which host do you want to get a certificate for:
- Since we are not running IIS, we’ll generate a certificate manually.[code lang=text]
Which host do you want to get a certificate for: M
Enter a host name:
- Enter the DNS name for your web server.[code lang=text]
Enter a host name: hr.psadmin.io
Enter a site path (the web root of the host for http authentication):
- Next, enter the root path for your web server. If you are running WebLogic, that will be
PORTAL.wardirectory on your web server.[code lang=text]
Enter a site path (the web root of the host for http authentication): W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war
- Then, the Let’s Encrypt client will create a new file under
PORTAL.war.well-knownacme-challenge. That file will be used to validate that you own the web server.[code lang=text]
Authorizing Identifier ps92t855.psadmin.io Using Challenge Type http-01
Writing challenge answer to W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war.well-known/acme-challenge
Answer should now be browsable at http://ps92t855.psadmin.io/.well-known/acme-challenge/1c2yN7Y93sJwRUmRGaoG4kT-QynrIcG
Authorization Result: valid
- After the web server ownership is verfied, new certificates will generated and copied to your system. The certificates are copied to your
%USERPROFILE%AppDataRoamingletsencrypt-win-simplefolder in a few formats:
The client will also add the certificates to the Windows Certificate Store for you. To add the certificates to WebLogic, we’ll use the .pem
Request Status: Created
Saving Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orghr.psadmin.io-crt.der
Saving Issuer Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orgca-009813F47513E5750B43E7431E971E44BD-crt.pem
Saving Certificate to C:UsersAdministratorAppDataRoamingletsencrypt-win-simplehttpsacme-v01.api.letsencrypt.orghr.psadmin.io-all.pfx (with no password set)
Opened Certificate Store “WebHosting”
Adding Certificate to Store
Closing Certificate Store
WARNING: Unable to configure server software.
Creating Task letsencrypt-win-simple httpsacme-v01.api.letsencrypt.org with Windows Task Scheduler at 9am every day.
Renewal Scheduled Manual hr.psadmin.io (W:pt8.55webservpeoplesoftapplicationspeoplesoftPORTAL.war) Renew A
Press enter to continue.
Create a New pskey Keystore
Now that we have certificates, let’s create a new
pskey file with the certificates. We’ll use Keystore Explorer to quickly generate the file.
- Open Keystore Explorer. (If it’s first time you’ve used it, follow the instructions to download the Unlimited Strength files).
- Create a new keystore file.
- Select the file type of “JKS”.
- Select “Tools > Import Key Pair”.
- Select the “OpenSSL” option.
- Deselect “Encrypted Private Key”.
- For the “OpenSSL Private Key File”, select the file
- For the “Certificate(s) File”, select
- Click “Import”.
- Enter an alias name that is descriptive. I used
- Since the prive key was delivered without a password, we’ll want to enter one. Enter a password for the key pair.
Now you have the private and public key for your DNS entry in the keystore. Next, we need to add the root (and intermediate) certificates so that a chain of trust is established.
- In Keystore Explorer in our new keystore file, right-click on our certificate. Select “Edit Certificate Chain > Append Certificate”.
- Select the file
ca-GUID-crt.pemand click “Append”.
- Save the file, give the keystore a password, and name the file
Load Keystore into WebLogic
After importing the certificates into
pskey-2015-12, we need to copy the file to the web server and tell WebLogic to use the new file. The
integrationGateway.properties file will need to know about the new keystore as well.
- Copy the
pskey-2015-12file to your web server directory
- Log into the WebLogic console.
- Navigate to “Environment > Servers > PIA > Keystores”.
- Click the “Lock & Edit” button to allow editing.
- Click the “Change” button for the Keystores option.
- Select “Custom Identity and Custom Trust” and “Save”.
- In the “Custom Identity Keystore” box, change the file name to
- In the “Custom Identity Keystore Passphrase” boxes, enter the keystore password you entered when saving the file in Keystore Explorer.
- In the “Custom Trust Keystore” box, change the file name to
- In the “Custom Trust Keystore Passphrase” boxes, enter the keystore password you entered when saving the file in Keystore Explorer.
- Click Save.
WebLogic will look at the new keystore file. Next, we need to tell WebLogic certificate it should serve to users.
- Click on the “SSL” tab.
- Change the “Private Key Alias” to
- In the “Private Key Passphrase” boxes, enter the password you gave the
- Click Save.
- Click the “Activate Changes” button.
Before we reboot the WebLogic domain, we need to update the
- On your web server, open the
- Find the line
secureFileKeystorePathand change file name to
- If the password you gave the keystore is different than the previous file, you’ll need to update that parameter in the file.
- Open a command prompt and go to
- Run the command
setEnv.cmdto set the environment variables.
- Go to the folder
- Run the command
PSCipherto get the encrypted text.
- Open a command prompt and go to
- Restart your WebLogic domain.
Test your HTTPS Connection
As WebLogic is starting up, make sure to check the logs to verify that the server started with your new certificate. Once the server has started, open a browser and go test the site. You should see a secure connection in the browser to your site.