What can I do when receiving SSL connection errors from version 15.2.0 onwards?

The official build of version 15.2.0 unfortunately contains an error when using an SSL certificate on the Enterprise Server. If you are having trouble connecting to your server using SSL in version 15.2.0, first of all please, make sure to install the latest updates 15.2.1 of the Enterprise Server and 15.2.2 of the Desktop or Corporate Client. You can find the latest builds on our website. Please download and install them accordingly:

Enterprise Server 15.2.1

Desktop or Corporate Client 15.2.2

Note: Before changing any settings, please make sure to install the latest version 15.2.1 of the Enterprise Server and 15.2.2 of the Desktop or Corporate Client because otherwise changes will not have an impact at all.

Concerning the version 15.2.0 (or higher) and using an SSL certificate on the server, please also take the following into consideration: 

1. The new version 15.2.0 (or higher) uses an upgraded transfer protocol with no backward compatibility. This means that all Password Depot clients and Server Managers must also be updated to version 15.2.0 or higher. Please make sure to update all editions to the latest version of version 15.

2. The server now uses OpenSSL 1.1.1.j with TLS1.3. Currently, only server certificates in the PEM format are supported. We have implemented a procedure of automatic conversion of your installed PFX or CRT certificates to the PEM format, which may require an additional restarting of the Password Depot Server after the first run. If the server still cannot load the SSL certificate after restart, please convert your existing certificate into the PEM format manually. 

To convert a PFX certificate into PEM, for example, please use this command line:

openssl.exe pkcs12 -in <SOURCE_FILE_PFX> -out <TARGET_FILE_PEM>

and answer the appearing questions about passwords when prompted.

When you try to connect to the server afterwards, you may get a message as follows:

image.png

The screenshot in German states that the certificate cannot be verified and that no error was found. Please select "Zertifikat anzeigen" (Show certificate). Afterwards, the following dialog window should be displayed:

image__1_.png

Select "Zertifikat installieren" (install certificate) and continue in order to finish the installation process.

Please note that all Windows clients should install the certificate as trusted if the certificate has been converted. However, this is not required in iOS or Android.

Thus, the correct procedure is as follows:

1. Clients

If your clients get the message about the unknown certificate:
a) Please make sure to use the latest client version 15.2.2.
b) In the client click "Zertifikat anzeigen" and install it into "My Certificates" storage.
 
2. Enterprise Server
 
Converting on the server:
 
The server can convert CRT or PFX certificates automatically. If this does not work after the first start, just open the Server Manager and reassign all the certificates and password related settings.
 
If you need to convert your non-standard certificate manually, you do not need to install OpenSSL. Inside the PD Server program directory, there are already all required files.
 
Example:
 
If you have a certificate with the name "zert.pfx", then:
 
a) Copy it into the server's program directory (C:\Program Files\AceBIT\Password Depot Server 15\). Regarding this, please make sure to store the certificate file to the Enterprise Server's program directory and not to the \Data directory. 
b) Open the command window (Win+R and type cmd.exe). 
c) Change the current directory cd C:\Program Files\AceBIT\Password Depot Server 15\.
d) Execute openssl.exe pkcs12 -in zert.pfx -out zert.pem and enter passwords when prompted.
e) If the private key file is stored to a different file, then repeat the same steps for the key file.
f) Start the Server Manager and activate SSL with the obtained .pem file(s) zert.pem.
 
 
Note: If the private key and certificate are stored to the same file, you have to enter the same path for both Cert and Key in the Server Manager. If, on the other hand, the private key and certificate are two different and separate files, you have to enter the path to each file in the server settings. In any case, please make sure that the Path to private key file on server box is not empty. Please also make sure that both the certificate and private key file (if two different files) are both in PEM format.
 
The issue should not occur in version 16. However, please note that you can still only use certificates in PEM format in version 16 as well. Please follow our instructions concerning the paths (Cert & Key) as described above because this is still valid in version 16 too.
Was this article helpful?
2 out of 3 found this helpful

Comments

0 comments

Please sign in to leave a comment.