New Question
 
 
PRTG Network Monitor

Intuitive to Use.
Easy to manage.

200.000 administrators have chosen PRTG to monitor their network. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free PRTG
Download >>

 

What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general. You are invited to get involved by asking and answering questions!

Learn more

 

Top Tags


View all Tags


How can I use a trusted SSL certificate with the PRTG web interface?

Votes:

0

Your Vote:

Up

Down

I want to avoid the web browser security warning that is shown when using PRTG's default SSL certificate and a secure https connection. How can I get, install, and use such a certificate with PRTG?

browser certificate certificate-importer encryption https prtg secure ssl web-interface

Created on Feb 2, 2010 3:27:03 PM by  Daniel Zobel [Paessler Support]

Last change on Feb 26, 2015 2:24:10 PM by  Gerald Schoch [Paessler Support]



14 Replies

Accepted Answer

Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 16 or later

General Information: Trusted SSL Certificates and PRTG

Out-of-the-box PRTG Network Monitor comes with a default SSL certificate for its web server. This way all communication between your browser and PRTG is encrypted using SSL and you can securely use the web interface through HTTPS.

Certificate Warnings

This certificate does not match the DNS name (or IP address) of your PRTG installation, so web browsers will always show a warning message ("the certificate is not correct") when you connect to the PRTG web interface.

The Role of SSL Certificates

SSL certificates play two roles here: First they are used to encrypt the data (so nobody can get sensitive data like passwords from your PRTG installation). The second role of SSL certificates is to ensure that you are actually connected to the right server (to avoid man-in-the-middle attacks, for example). The encryption of traffic already works after initially installing PRTG.

Install Certificate Files

To avoid the browser warnings, install a trusted certificate for the PRTG webserver (in PEM format). The PRTG web server implements OpenSSL and expects certificate files in the same format that is used for Apache web servers, too.

PRTG needs the following files, correctly named, containing data in the expected encoding and format:

  • prtg.crt: The certificate of your server
  • root.pem: The root certificate of the certificate issuer
  • prtg.key: The private key of your server *

This makes the manual import of an issued certificate a bit complicated sometimes because there might be various certificate files that you get from a certificate authority (CA) and the private key is usually encrypted. So we provide the freeware tool PRTG Certificate Importer that makes the installation of a trusted certificate for your PRTG server much easier.

* Note: Usually your certificate provider sends you the key in encrypted format. The PRTG Certificate Importer decrypts it automatically with the according passphrase. If you want to import a certificate manually, use the key password in combination with external tools (for example, OpenSSL) to create a decrypted key file. PRTG will not accept an encrypted key file! You can check if the key matches your certificate here.

PRTG Certificate Importer

Please use the PRTG Certificate Importer to install a trusted certificate for PRTG!

To ease the installation of a trusted certificate, we provide the free PRTG Certificate Importer. It combines and converts all files issued by a certificate authority (CA) automatically for the use with PRTG and saves the certificate files into the correct path on your PRTG server. This makes importing a trusted SSL certificate rather comfortable!

For more information about this freeware tool and to do download it, see the freeware network tools page of the PRTG Certificate Importer.

General Remarks

Important: We strongly recommend that you make backup copies of the default PRTG certificate files before you replace them. The PRTG Certificate Importer does this automatically by default.

In some cases, your certificate provider gives you certificates and key files in the correct PEM format already. However, you may receive a single file which contains several elements, for example, several certificates along with a private key that belongs to the certificates. Such a file might be called *.chain.pem or similar.

A certificate will begin with -----BEGIN CERTIFICATE----- and end with -----END CERTIFICATE-----

A key will begin with -----BEGIN PRIVATE KEY----- and end with -----END PRIVATE KEY-----

The PRTG Certificate Importer can handle such a combined file usually correctly, so please use this tool.


Manual Certificate Import

For a manual certificate import without using the PRTG Certificate Importer, you have to follow the steps below.

Note: We do not recommend that you manually import certificates. Please use the PRTG Certificate Importer.
  1. Open the file in a text editor and copy one certificate (take the first one, if there are several) into a new text file and safe it as prtg.crt.
  2. Copy the key into a new text file and safe it as prtg.key.
  3. Identify the root certificate of the issuer (most likely, it is the last certificate listed before the key). It will look similar to the server certificate you copied above.
  4. Copy the root certificate into a new text file and safe it as root.pem. Alternatively, you can download the PEM encoded root certificate from your issuer's website. This is a public file.
  5. Save the file as root.pem.
  6. Stop the PRTG core Windows service, copy the three files into the \cert sub folder of your PRTG program folder (copy the existing files to a save location), and restart the PRTG core Windows service.

What can I do if PRTG does not start after replacing the default certificate?

To get PRTG back to monitoring as soon as possible if something went wrong with the generation of your own certificates, copy the three default PRTG certificate files to the \cert folder of your PRTG installation again. Because of this, we always recommend backing up the default certificate before changing anything.

Then open the PRTG Administrator tool on your core server system and start the core server again.

If you did not back up the default certificates and have them not available anymore, delete the \cert folder and install PRTG over the existing installation.

Different Naming for Former PRTG Versions

Note: For PRTG versions 7, 8, and 9, file names are different from the ones shown above! If you want to use your own SSL certificate files with these former PRTG versions, please name them prtg7.crt, root.pem, and prtg7.key.


There are several options to get the required certificate files. Please see the other answers in this thread for more information.



In This Thread



More

Created on Feb 2, 2010 3:29:59 PM by  Daniel Zobel [Paessler Support]

Last change on Sep 22, 2017 12:37:07 PM by  Gerald Schoch [Paessler Support]



Votes:

1

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 12 or later

Option 1: Using a Free SSL Certificate (StartSSL)

The encryption of traffic already works after initially installing PRTG. To avoid the browser warnings you must install a "trusted certificate". This article explains how you can do this for free by getting a "StartSSL" certificate from StartCom (http://cert.startcom.org/). Their "Class 1 certificates" are domain and/or email validated only and the process is performed mostly by electronic and automatic means. This enables StartCom to waive fees for this type of certification. Thanks, StartCom!

Note: The PKI (Public Key Infrastructure) platform of StartSSL is now hosted by a company using IPs from a state-owned telecommunication company. Independent from that we strongly recommend that you always use a CSR (Certificate Signing Request) generated by yourself and not generate the CSR via your browser on an issuer's webpage. Most important: Never give away your private key!

Only Suitable for DNS Names

Important: "StartSSL Free" certificates only work for DNS names, not IP addresses. This means you must have control over the top level domain that you want to create a certificate for. You must have access to specific email addresses hosted at this domain. If you want a trusted certificate for a PRTG installation on a private LAN which is only accessible via private IP address, please consider switching to a DNS name or consider using a certificate from Comodo InstantSSL. They provide certificates for IP addresses, too (see other answers for this question).

Getting started

You have to go through the following steps in order to request and use a free StartCom SSL certificate with PRTG:

  1. Download the PRTG Certificate Importer to ease the installation of the StartSSL certificate. This is not mandatory but we strongly recommend that you use this freeware tool.
  2. Create a StartSSL account.
  3. Validate your domain name.
  4. Create a private create key and a server certificate.
  5. Decrypt your private key (only if you do not use the PRTG Certificate Importer).
  6. Create root certificate.
  7. Copy your new files to the PRTG installation (preferably with the PRTG Certificate Importer) and restart PRTG server services.
  8. Keep your files when upgrading.

Step 1: Download PRTG Certificate Importer

The PRTG Certificate Importer combines and converts all files issued by a certificate authority (CA) automatically for the use with PRTG and saves the certificate files into the correct path on your PRTG server. Find more information about this freeware tool and download it here.

Step 2: Create a StartSSL Account

  • Note: Please use Mozilla Firefox for the following procedure (the StartSSL website uses Firefox specific features).
  • Go to http://www.startssl.com/, navigate to the Products page and follow the link to sign up for a "StartSSL Free" account (URL https://www.startssl.com/?app=12 when this article was written). Click the "Express Lane" option.
  • Enter your name and registration details.
  • You will receive an email with a verification code.
  • After copying the code from the email into your browser a "client certificate" is created and stored in your browser. The client certificate is used for access to your login area at startssl.com (instead of username/password credentials). This is a bootstrapping certificate for authentication purposes. It has nothing to do with the server's certificate you'll be using later on.
  • You should pay attention to the following instructions to back up this bootstrapping certificate to make sure you're not losing access to your StartSSL account.
  • In Mozilla Firefox, select Options | Advanced | Certificates | View Certificates, choose the Your Certificates tab and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now save it on a USB stick or smart card and delete this file from your computer.

Once you have created your account, a server certificate at StartSSL.com is created in two steps: First, you validate your domain name (you must have control over the top level domain). Second, you generate a private server key and certificate.

Step 3: Validate Your Domain Name

  • As the next step, enter the top-level domain name that you want to use later for validation (if you do not use Express Lane, you find this option in the Validations Wizard, Type: Domain Name Validation). At this point only the top-level domain is checked. You do not enter any sub domains, but merely the domain name itself.
  • Select an email address for verification and run through the verification process.

Step 4: Create Private Key and Server Certificate, Download Root Certificate

  • Generate a private key for this domain name (if you do not use Express Lane, you find this option in Certificates Wizard, Certificate Target: Web Server SSL/TLS Certificate). Enter a key password, click continue, and confirm validation.
  • You will now see your SSL key (RSA Private Key).
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,5F7B697613040B0AB63F648B0412D433

qSRUYQFCDioscUXG0usQ9oZikAaWRDxWUxxyS7/y+Z1XwSvJCUsH8DBSGVlmFPoT
Hhvu9yOZ/u+N8meoaucF4vNcKzLcJMb78mn8TwPMMoX95MayQ4njTd+EmPbNliu+

[...]

+zgYMdEBs5IiyZ49NjyAhu5JEMka3WpcNmlr0kGfXV2sU+s0yjaL3L9ynjyyLnr
-----END RSA PRIVATE KEY-----
  • Copy it, save it to a text file (for example, ssl_key.txt), and continue. Note: This is the encrypted key the PRTG Certificate Importer will decrypt later on. You do not need to install OpenSSL for this.
  • Click Continue.
  • Add Domains: Select your domain and continue.
  • Enter a sub domain and continue (for the free product, you can only enter one sub domain).
  • The Overview is shown. Continue.
  • The PEM encoded certificate is shown.
-----BEGIN CERTIFICATE-----
MIIGujCCBaKgAwIBAgIDaQW1MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcaRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0

[...]

1+/ovdIGF9FkcaN/PwcBBU0kWaIcYBOBnYXtsXGajerNsgyjFcCpLjCsNCKseQ==
-----END CERTIFICATE-----
  • Copy it and save it as prtg.crt, using a text editor. Note: When saving the file, enclose the filename in quotes to make sure that the extension .CRT is saved correctly (many text editors may want to save it as .TXT)!
  • Right click the "Root CA certificates" link and choose "Save As" and save the file as "ca-bundle.pem" into the same directory as the certificate (you can do this also later on in the "Tool Box" of the StartSSL "Control Panel"). Rename the file to root.pem.
  • Click finish.

Step 5: Decrypt Private Key

This step is not required when you use the PRTG Certificate Importer!

Use the PRTG Certificate Importer for the installation of the certificate. With this tool you do not have to decrypt the private key manually and you can skip this step 5.
  • In the StartSSL Tool Box (you'll find it in the website's Control Panel), click on Decrypt Private Key and paste the SSL key you saved in Step 3 (ssl_key.txt). Enter your Passphrase and click on Decrypt.
  • The decrypted key should now be displayed. Copy and save it as prtg.key, using a text editor. Please note: When saving the file, enclose the file name in quotes to make sure that the extension .KEY is saved correctly (many text editors may want to save it as .TXT)!

Step 6: Create Root Certificate

In the StartSSL Tool Box, open StartCom CA Certificates. Download "ca-bundle.pem" by clicking on Server Certificate Bundle with CRLs (PEM encoded), save it into the same directory as the certificate, and rename the file to root.pem.

You can skip this step if you have already downloaded a root certificate (bundle) in Step 3.

Step 7: Copy the files into the /cert folder of your PRTG installation

Use the PRTG Certificate Importer for this step.

  1. Open the PRTG Certificate Importer and follow the steps there.
  2. In step 1, provide the path to the downloaded certificate files (for example, "prtg.crt" and "root.pem").
  3. In step 2, provide the path to the private key and, when asked to, enter its passphrase.
  4. Finish step 3 if the validation was successful and switch PRTG to a secure HTTPS server.
  5. Now you can access your PRTG web interface using HTTPS.

Only if you manually import the StartSSL certificate:

Note: We do not recommend that you manually import certificates. Please use the PRTG Certificate Importer.
  • Copy the following files into the /cert subfolder of your PRTG Network Monitor installation (make a copy of PRTG's default certificates for backup purposes):
    • prtg.crt (the certificate of your server)
    • root.pem (the root certificates of the issuer)
    • prtg.key (private key of your server, decrypted)
  • Open the PRTG Administration Tool and select "Secure HTTPS server" for the web server port setting.
  • Restart the PRTG Network Monitor core service and access the PRTG web interface using HTTPS.
  • You should also make a backup copy of your certificate files!

Created on Feb 2, 2010 3:41:26 PM by  Daniel Zobel [Paessler Support]

Last change on Sep 22, 2017 12:04:41 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 12 or later

Option 2: Using a Free Trial SSL Certificate (InstantSSL)

The encryption of traffic already works after initially installing PRTG. To avoid the browser warnings you must install a "trusted certificate". This article explains how you can do this by getting a certificate from Comodo InstantSSL. Apart from official paid-for certificates they also offer free 90-day-certificates that work well for PRTG.

Step 1: Download PRTG Certificate Importer

The PRTG Certificate Importer combines and converts all files issued by a certificate authority (CA) automatically for the use with PRTG and saves the certificate files into the correct path on your PRTG server. Find more information about this freeware tool and download it here.

Step 2: Install Open SSL

  • You also need to download and install Visual C++ 2008 Redistributables if you see this error upon installation: “The Win32 OpenSSL Installation Project setup has detected that the following critical component is missing: Microsoft Visual C++ 2008 Redistributables. Win32 OpenSSL will not function properly without this component. It is recommended that you install the missing component before clicking OK to continue.”.The files can be downloaded from: http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF

Step 3: Create your CSR (Certificate Signing Request)

  • Open a command prompt (Start->Run->"cmd") and go to to the c:\openssl\bin folder where the openssl.exe is located (“cd c:\openssl\bin”).
  • Enter the following command:
openssl req -nodes -newkey rsa:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg
  • There will be a few questions for you to answer.
  • The “Common Name” question is the most important: Here you must enter the domain name (or the IP address) that you want to securely use with the webserver of PRTG. Finally your screen should look like this:
C:\OpenSSL\bin>openssl req -new -nodes -keyout prtg.key -out prtg.csr -config openssl.cfg
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..................++++++
.......................................++++++
writing new private key to 'prtg.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuremberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paessler AG
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:prtg.paessler.com
Email Address []:info@paessler.com

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:.
An optional company name []:.

C:\OpenSSL\bin>
  • More information from Comodo's website:
    When generating your CSR please also be sure to enter your details as follows:
    Country Name: US
    State or Province Name: NJ
    Locality Name: Jersey City
    Organization Name: Comodo
    Common Name: www.domain.com
  • You will now find two new files in the c:\openssl folder:
    • prtg.key: contains a private key. Do not disclose this file to anyone!
    • prtg.csr: This is your certificate request file which must be sent to the certification company.

Step 4: Request your certificate from instantssl.com

  • Go to the InstantSSL website and choose “Free SSL Certificate” (which will give you a free certificate that will be working for 90 days) or choose one of the paid-for options.
  • At the time of writing this article the URL for the free option was: http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html. Click on “Get It Free Now”
  • Open the prtg.csr file which you created before in a text editor and copy and paste the full contents into the instantssl website (copy everything in the file including "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----").
  • For “Select the server software used to generate the CSR” select “OTHER” and finally click on “Agree” at the bottom of the page.
  • Depending on the type of certificate some sort of validation process is now performed by Comodo (for example, you will receive emails with requests from them).

Step 5: Preparing the certificate files for PRTG

  • As soon as the validation is checked by Comodo they will provide you with a ZIP file that contains one file with the name of your PRTG domain as well as a few other .crt files. In our sample the files were:
    • prtg_paessler_com.crt (This is the server certificate)
    • AddTrustExternalCARoot.crt
    • ComodoUTNSGCCA.crt
    • EssentialSSLCA_2.crt
    • UTNAddTrustSGCCA.crt
  • Save the certificate files into one directory, together with the private key that you obtained before.

If not done yet, download the PRTG Certificate Importer to import these files correctly for PRTG. Only if you do not use the PRTG Certificate Importer, you have to do the following.

  • Rename the first file (the server certificate file) to prtg.crt
  • Open all other files in a text editor and combine the contents of all files into one file and save it as root.pem (simply copy them into one file, the order is not relevant).

We do not recommend to import certificates manually!

Step 6: Copy the files into the /cert folder of your PRTG installation

Use the PRTG Certificate Importer for this step! Open the PRTG Certificate Importer and follow the steps there.

  1. Provide the path to the downloaded certificate files and to the private key.
  2. Finish if the validation was successful and switch PRTG to a secure HTTPS server.
  3. Now you can access your PRTG web interface using HTTPS.

Only if you manually import the InstantSSL certificate:

We do not recommend to manually import certificates! Please use the PRTG Certificate Importer.
  • Copy the following files into the /cert subfolder of your PRTG Network Monitor installation (make a copy of the existing demo certificates for backup purposes):
    • prtg.crt (the certificate of your server)
    • root.pem (the root certificates of the issuer)
    • prtg.key (private key of your server)
  • Open the PRTG Administration Tool on the PRTG core server and select "HTTPS/SSL on Port 443" for the Web Server Port setting.
  • Now restart the PRTG Network Monitor core service and access the website using HTTPS.
  • You should also make a backup copy of your certificate files!

Created on Feb 2, 2010 4:00:04 PM by  Daniel Zobel [Paessler Support]

Last change on Sep 22, 2017 9:43:20 AM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 12 or later

Option 3: Using a Certificate from a Microsoft CA Server

The encryption of traffic already works after initially installing PRTG. To avoid the browser warnings you must install a "trusted certificate". The following article outlines how to install a custom certificate from a Microsoft CA server in order to work with PRTG. For these purposes a valid certificate needs to be generated and the respective functionality needs to be activated for PRTG. This process is outlined below.

Install Root Certificate

Install your Microsoft CA Root certificate on all machines that will access the PRTG web interface URL. You can do so via GPO (Group Policy object). For details, please refer to Microsoft TechNet:

Create a Certificate Signing Request (CSR)

Use Open SSL to create a CSR. For details, please see the article about InstantSSL above (option 2).

Create a Certificate Chain

  1. Go to your Microsoft CA server's web interface using Internet Explorer.
  2. On the "Welcome" page, select the task Request a certificate.
  3. On the "Request a Certificate" page, click advanced certificate request.
  4. You are now on the "Submit a Certificate Request or Renewal Request" page:
    1. Open the CSR you generated before, copy all, and paste it into the Saved Request field.
    2. Choose the "Certificate Template" Web Server.
    3. Click Submit.
  5. On the "Certificate Issued" page, choose Base 64 encoded and click Download certificate chain.

You can use the resulting certificate chain file (for example, *.p7b) with the PRTG Certificate Importer to install the trusted certificate on your PRTG server.

Submitting CSR
Step 4: Submit Your Certificate Signing Request

Import the Certificate

Use the PRTG Certificate Importer to import the certificate for PRTG.

Now you can access your PRTG web interface using HTTPS.

Created on Feb 2, 2010 4:32:32 PM by  Daniel Zobel [Paessler Support]

Last change on Sep 22, 2017 9:58:49 AM by  Gerald Schoch [Paessler Support]



Votes:

1

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 12 or later

Quick and Easy: Using an Existing (Wildcard) Certificate

If you already have a certificate that is certified for the (sub-) domain you are accessing the PRTG web interface from, you can use it with PRTG.

This is what you need

You need three files:

  • Certificate of your server (for example: xyz.example.com)
  • Root certificate(s) of the issuer (if there is more than one, please copy all of them into one root certificate text file, using a text editor - the order does not matter, just copy them together)
  • Private key of your server

Either the issuer of your certificate has sent you a private key file, or it is provided on the issuer's webpage. Please refer to the issuer's FAQ regarding the private key.

The server certificate and the root certificate(s) are usually downloaded from the supplier's webpage directly.

Import the Certificate

Use the PRTG Certificate Importer to install the wildcard certificate on your PRTG server.

Now you can access the PRTG web interface using HTTPS.


Only for a Manual Certificate Import

You have to go through the following steps only if you do not use the PRTG Certificate Importer.

Note: We do not recommend that you manually import certificates. Please use the PRTG Certificate Importer.

Converting and Encrypting

Open your certificate files in a text editor and have a look at them.

Please make sure your certificates and key files are PEM encoded (have a look at PRTG's original cert files to get an idea how PEM encoded files have to look like). Use SSL converter tools, if necessary (https://www.sslshopper.com/ssl-converter.html).

The private key has to be decrypted! If the private key is encrypted (this will be indicated accordingly in the file), please use the private key file in combination with the password your issuer has sent along to generate another private key file which is not encrypted:

  1. Download openssl.
  2. On command line, run: openssl rsa -in [encrypted-key].key -out prtg.key
  3. At the Enter PEM pass phrase prompt, enter the password for the key

Copy and Rename the Files

Once you have collected (or created) the files, copy them to the /cert sub-folder of your PRTG core installation (make a backup of the existing files in this folder for later recovery). If necessary, rename your new files as follows:

  • prtg.crt (the certificate of your server)
  • root.pem (the root certificate of the issuer)
  • prtg.key (private key of your server, decrypted)

Final settings for PRTG

  • Now restart the PRTG Network Monitor Core service and access the PRTG web interface using HTTPS.

Done!

Created on Feb 3, 2010 12:57:08 PM by  Daniel Zobel [Paessler Support]

Last change on Sep 22, 2017 12:04:27 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

Option 4: Set Up Your Own Certification Authority

If you access your PRTG server from within your own domain only, you can consider setting up your own Certification Authority (CA).

Created on Mar 11, 2010 2:11:20 PM by  Daniel Zobel [Paessler Support]



Votes:

0

Your Vote:

Up

Down

In Regards to Option 3: Using a Certificate from a Microsoft CA Server

You must name the files prtg.crt and prtg.key or PRTG service will not start, it seem this was written down for all the other options apart from this one.

Created on Apr 16, 2010 9:40:23 AM by  Jamie Parker (0)

Last change on May 21, 2012 1:54:02 PM by  Daniel Zobel [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 12 or later

Certificates for PRTG (Apache) from PFX file

Use the PRTG Certificate Importer to install certificates from PFX files on your PRTG server.

  • Download and run the PRTG Certificate Importer.
  • Provide the path to your certificate files. You need the PFX file (cert.pfx) and the intermediate CA bundle for Apache server (renamed to root.pem, for example).
    • Note: An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you. Such certificates are called chained root certificates. The Root and Intermediate CA certificates are contained within the 'ca-bundle' file.
  • After the PRTG Certificate Importer has installed the certificate on your server, switch PRTG to a secure HTTPS server via system administration.

Now you can access the PRTG web interface using HTTPS.


Only if you manually import certificates from a PFX file:

Note: We do not recommend that you manually import certificates. Please use the PRTG Certificate Importer.
  • You need to have Openssl software
  • Copy PFX file (cert.pfx) into your OpenSSL/Bin directory
  • Open OpenSSL in the command line
  • Type in the following command to transform your PFX file into a PEM file: openssl pkcs12 -nodes -in cert.pfx -out keys.pem
  • Go to your OpenSSL/Bin directory and locate the keys.pem file and open it in a text editor
  • Locate the Private Key, which includes and is defined by the text '-----BEGIN RSA PRIVATE KEY----- .... certificate contents .... -----END RSA PRIVATE KEY-----, copy the Private Key, open a new text editor, paste the Private Key into the text editor and save as prtg.key
  • Locate the SSL certificate, which includes -----BEGIN CERTIFICATE----- .... certificate contents .... -----END CERTIFICATE-----, copy the SSL certificate, open a new text editor, paste the SSL certificate into the text editor and save as prtg.crt
  • Download Intermediate CA bundle for Apache server. Save as root.pem
    Note: An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you. Such certificates are called chained root certificates. The Root and Intermediate CA certificates are contained within the 'ca-bundle' file.
  • Copy these three files to the PRTG core server's C:\Program Files (x86)\PRTG Network Monitor\cert folder
  • Restart the “PRTG Core Server Service” service

Created on Jul 6, 2011 1:51:47 PM by  Patrick Hutter [Paessler Support] (7,144) 3 3

Last change on Sep 22, 2017 12:06:44 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 12 or later

Using a GoDaddy SSL Certificate with PRTG

Please find detailed information in the following article:

How to get a GoDaddy SSL Certificate running with PRTG?

Created on Oct 1, 2013 9:45:18 AM by  Daniel Zobel [Paessler Support]



Votes:

0

Your Vote:

Up

Down

This article applies to PRTG Network Monitor 13 or later

Using a DigiCert SSL Certificate with PRTG

Please find detailed information in the following article:

How to get a DigiCert SSL Certificate running with PRTG?

Created on Oct 28, 2013 4:23:38 PM by  Gerald Schoch [Paessler Support]



Votes:

0

Your Vote:

Up

Down

How different is the procedure in Option 3 in a clustered PRTG environment?

Created on Mar 5, 2014 4:02:38 PM by  A Kupi (0)



Votes:

0

Your Vote:

Up

Down

Both the master and failover use the same core and server software so you should be able to replace the certs on the failover the same way as the master and that should work.

Created on Mar 6, 2014 6:42:53 PM by  Greg Campion [Paessler Support]



Votes:

0

Your Vote:

Up

Down

If I access the PRTG server from my enterprise LAN and also from a public IP. Do I need to create 2 different certificates, one for the local IP and other for the public IP?

Created on May 30, 2014 4:35:39 PM by  jf_hernandez (0) 1



Votes:

0

Your Vote:

Up

Down

@jf_hernandevz: No you don't need separate certificates here, the same certificate is used for the whole web interface. The IP does not matter here.

Created on Jun 2, 2014 8:48:13 AM by  Konstantin Wolff [Paessler Support]



Please log in or register to enter your reply.


Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.