This article applies to PRTG Network Monitor 13 or later

Using a GoDaddy SSL Certificate with PRTG

SSL certificates are used to encrypt data so that unauthorized persons cannot access sensitive data like passwords from your PRTG installation. Furthermore, SSL certificates ensure that you are connected to the correct server. The encryption of traffic already works after initially installing PRTG.

PRTG Network Monitor contains a default SSL certificate for its web server. This way all communication between your browser and PRTG is encrypted using SSL and you can securely use the web interface through HTTPS.

However, this certificate does not match the DNS name (or IP address) of your PRTG installation and, thus, web browsers will always show a warning message when they connect to PRTG's web server.

In order to avoid browser warnings, you can install a trusted certificate for the PRTG web server. A well-known issuer for SSL certificates is GoDaddy. This article will show you prerequisites, how to generate a Certificate Signing Request (CSR) for your PRTG server, how to get a certificate from GoDaddy, and how you prepare the collected files for the use in PRTG.

Prerequisites: Install Open SSL

You need a tool to create a Certificate Signing Request (CSR) and a corresponding private key. In this article we will show how to generate these files with OpenSSL.

• If not done yet, install the Microsoft Visual C++ 2008 Redistributable Package. You will need it in order to avoid an error message when trying to run OpenSSL. You can download it here. Please follow the instructions there.
• Download and install Win64 OpenSSL Light (or the Win32 version, according to your Windows version). You can get it here. Open the downloaded executable and follow the installation instructions. By default, all OpenSSL files will be installed into the C:\Openssl-Win64 folder (or C:\OpenSSL, according to the chosen version).

Step 1: Download PRTG Certificate Importer

The PRTG Certificate Importer combines and converts all files issued by a certificate authority (CA) automatically for the use with PRTG and saves the certificate files into the correct path on your PRTG server. Find more information about this freeware tool and download it here.

Step 2: Create your Certificate Signing Request

1. Open a command prompt and navigate to the \bin folder of your OpenSSL directory as created before. For example: cd c:\openssl-win64\bin
2. Enter the following command: openssl req -new -nodes -newkey RSA:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg
3. Answer the prompted questions.
4. Most important: Provide the correct Common Name. This has to be the DNS name or IP address that you want to securely use with the webserver of PRTG.
5. Leave the challenge password blank, i.e., enter a dot (.). You can do the same with email address and optional company name.
6. Finally, the command prompt will look like this, depending on your given information:

c:\OpenSSL-Win64\bin>openssl req -new -nodes -newkey RSA:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
............................................+++
..............+++
writing new private key to 'prtg.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuremberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paessler AG
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.

c:\OpenSSL-Win64\bin> 

Step 3: Purchase and Request SSL Certificate

1. Go to the webpage of GoDaddy and navigate to Products | SSL & Security | SSL Certificates.
2. Purchase the most suitable SSL certificate. Standard SSL with Single Domain should be fine. A Wildcard certificate would protect your URL and an unlimited number of its subdomains. See this page for more information. You can find more instructions about the process of purchasing at GoDaddy’s.
3. Activate the SSL credit after purchasing. You can find detailed instructions here. We will summarize and apply the steps to PRTG specific issues in the following.
4. Log in to your GoDaddy account, “Visit My Account”, and go to the Products tab.
5. Click on SSL Certificates and on Set Up for the respective credit. It will be activated afterwards.
6. Click on Launch for this SSL and open Credits on the left.
7. Click on Request Certificate.
8. Select the appropriate hosting type, that is for PRTG Third Party or Dedicated Server or Virtual Private Server (VPS) without Simple Control Panel.
9. Open prtg.csr you created before with a text editor and copy the whole CSR text, including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----
10. Paste the CSR into the field which is provided in GoDaddy’s web interface now.
11. Finish the request providing further necessary information (three times Next). Then the verifying process of your application takes place which will take some time.
    • GoDaddy's Products Tab with SSL Certificates

Step 4: Preparing the Certificate Files for PRTG

After the validation has finished, you can find your SSL certificate in your GoDaddy account manager.

Choose "Apache" as Server Type

1. Open SSL Certificates and click on Launch for the created certificate. You will see a page with contents and details of the certificate.
2. Download the ZIP file containing all necessary files by clicking the corresponding button in the header bar.
3. Select the server type. For PRTG choose Apache. Click on Download and save the ZIP file on your system. It will contain both the certificate you requested and additional certificates.
4. Extract the files to some temporary folder.
5. Download and run the PRTG Certificate Importer. This tool will automatically combine and convert all certificate files correctly for PRTG. Go on with Step 5.

Only if you do not use the PRTG Certificate Importer, you have to rename the files:

• The file with the common name, i.e., the server FQDN: prtg.crt
• The other file (e.g., “gd_bundle”): root.pem
  Note: If there are more files than this other file, combine their contents with a text editor to one single file and save it as root.pem

We do not recommend that you manually import certificates!

Step 5: Copy the Created Files into the PRTG Program Directory

Use the PRTG Certificate Importer for this step.

• Open the PRTG Certificate Importer and follow the steps there.
• Provide the path to the downloaded certificate files and to the private key (located in the \bin subfolder of OpenSSL).
• Finish if the validation was successful and switch PRTG to a secure HTTPS server.

Now you can access your PRTG web interface using HTTPS.

Only if you manually import the GoDaddy certificate:

Copy the files you have created into the /cert subfolder of your PRTG installation. Important notice: Make a copy of the existing PRTG cert files for backup purposes!

The files you have to copy are:

• prtg.key: your private key, located in the \bin subfolder of OpenSSL
• prtg.crt: the certificate of your server
• root.pem: the root certificate(s) of your issuer

Make a backup copy of these files as well before using them in PRTG.

Step 6: Apply Certificates to PRTG

• Ensure the PRTG web server SSL. You can check this in the PRTG Administration Tool, tab Web Server. Select Secure HTTPS server (Port 443) or Expert configuration: Use SSL encryption to use a secure web server with SSL encryption.
• Restart the PRTG core service and access your PRTG web server using HTTPS.

Troubleshooting

If you cannot start PRTG anymore with the new certificate, please try to load the certificate with OpenSSL. Please see this page for a list of available OpenSSL commands.

If this test works and you did not use the PRTG Certificate Importer but imported the certificate manually, ensure that you created and copied all necessary into the right folder. Also make sure that your private key is decrypted. You can check this by opening the key file in an editor. If it is not decrypted, there will be a line stating that the key is encrypted.

You can also revert to your backed up certificate files.