You receive a certificate expired or certificate not found error on startup

Issue: When starting up the IMS service the HTTPS services stop working or provide a certificate expired error.

Applies To:

  • OpenIZ Immunization Management Server

Symptoms:

  • When starting up the IMS you see a log file which lists a certificate not found or certificate is invalid error

  • When navigating directly to the IMSI or AMI services (or any other service secured with a certificate) you notice a red address bar in the browser.

Cause: The primary cause of this error is either the certificate installed is not complete (does not have the private key), is expired (expiry time has passed), is not a valid SSL certificate for HTTP traffic (i.e. is a code signing certificate), or is not installed on the server.

Solution:

  1. Verify the certificate is installed on the machine and has a private key: 1. Launch a new Microsoft Management Console by pressing Windows + R and typing mmc 2. Select File > Add / Remove Snap-In

  2. If the certificate is not installed, you can import it. 1. Ensure that you acquire a PFX file from your certification authority. 2. Right click on the Personal folder in the administration console and select All Tasks > Import

  3. Register the certificate in the configuration file 1. In the MMC panel (if you have not opened it see above) locate the certificate you want to secure your service with. Double click on the certificate and select the details tab. Locate the serial number attribute and copy the value.

       <service name="RISI" behaviorConfiguration="risi_behavior">
         <host>
           <baseAddresses>
             <add baseAddress="https://0.0.0.0:8443/risi" />
           </baseAddresses>
         </host>
         <endpoint address="https://0.0.0.0:8443/risi" binding="webHttpBinding" name="RISI" contract="RISI_1.0" bindingConfiguration="risi_binding" />
       </service>
       </services>
    1. Locate the appropriate <behavior> element. If necessary add the <serviceCredentials> element (if it is present do no add another entry, simply update the existing). Paste the copied serial number to the findValue attribute ensuring to remove any hidden characters or spacing between digits:

      <behavior name="risi_behavior">
          <serviceCredentials>
            <serviceCertificate storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint" findValue="68aaae85346680a1458d71271b940438"/>
          </serviceCredentials>
    2. Open a command prompt as a Windows Administrative user.

    3. Generate a random UUID for your registry entry (you can use https://www.uuidgenerator.net/)

    4. Run the following command to reserve the SSL certificate substituting ipport with the public IP of the machine (or 0.0.0.0 for all IP addresses) and port the service is listening on, substituting certhash with the copied findValue from step #3.

      netsh http add sslcert ipport=0.0.0.0:8443 certhash=68aaae85346680a1458d71271b940438 appid={b751f248-8cf6-4d2b-b8bf-0302d5a52226}
    5. Restart the OpenIZ host process with

      • net stop openiz

      • net start openiz

Last updated