Jump to content

Passwordstate Certificates Explained


Recommended Posts

Passwordstate is a self hosted website, and all websites using the secure HTTPS protocol require a certificate which the browser analyses and determines whether it is secure or not.  This forum post will help you understand the different certificate types, and will guide you through the process of using these different types of certificates.



Part One: Certificate Best Practices

A good certificate should come from a trusted source, and should also match the URL of your Passwordstate website.  All certificates have an expiry date which can range from a year to many years, depending on the certificate source.


There are three different types of certificates that Click Studios recommends for your Passwordstate web site, all have their pros and cons.  There are Self Signed Certificates, Certificates issued from an internal Certificate Authority, and Certificates issued from an online Authority.




Part Two: Self Signed Certificates

When you install Passwordstate for the first time, the default URL that is chosen by the installer is the name of your server, as under most circumstances this should have a functioning DNS entry for you already.  It is possible to change the URL to anything you like during the initial install, but if you change it you must ensure you create a new functioning DNS entry for this URL.


Whether you leave the default URL as the server name, or choose a custom URL, the installer process will create a Self Signed certificate that matches that URL.  This is the first step in getting your browser to trust the certificate which makes for a nicer end user experience.



* Easy to create, can just use Powershell whenever needed

* Free



* Browsers don't trust them by default

* Will require manual work to get browser to trust them

* Cannot use a wild card with this type of certificate


When to Use:

* If you are only a small corporation

* Don't have many users

* Do not wish to spend any money on a certificate

* Do not intend on accessing Passwordstate outside your own network

* Do not mind installing a certificate for via your Browser as a once off process for each machine, or every time your Browser cache is emptied


Links related to Self Signed Certificates:

Creating a new Self Signed Certificate: https://forums.clickstudios.com.au/topic/14906-create-new-self-signed-certificate-powershell/

Changing the Passwordstate URL to something custom: https://www.clickstudios.com.au/community/index.php?/topic/1465-changing-the-passwordstate-url/


Fixing a browser warning if it does not trust the certificate - Follow the SSL Certificate Considerations section in this document: https://www.clickstudios.com.au/downloads/version9/Installation_Instructions.pdf





Part Three: Certificate Issued from an internal Certificate Authority (CA)

An internal certificate authority is a role that you enable on one or more of your domain controllers, assuming you have Passwordstate installed on a computer joined to a domain.  Once you enable this role on your server, you can issue certificates for applications that require a certificate, that will be running on your domain.  Certificates from an internal CA are trusted by default by your browser, as long as you are accessing Passwordstate from a domain joined machine.



* Better security

* Free

* Browsers will not complain if accessing Passwordstate from a domain joined machine

* can use a wildcard certificate, meaning you can have multiple URLs with the same certificate



* Requires a configuration change to your domain controller

* Browsers will still complain if you access Passwordstate outside your own network, or from a non domain joined machine


When to Use:

* If you have Passwordstate joined on a domain joined server

* You already have an internal CA set up is a bonus

* You do not anticipate accessing Passwordstate from outside your own network, or from a non domain joined machine


Links related to Internal CA issued certificates:

How to set up a internal Certificate Authority: https://www.clickstudios.com.au/community/index.php?/topic/2934-how-to-set-up-a-internal-certificate-authority/

Generate a certificate from an internal CA, and use it on your Passwordstate website: https://www.clickstudios.com.au/community/index.php?/topic/1952-generate-a-new-certificate-from-active-directory-certificate-authority/


Changing the Passwordstate URL to something custom: https://www.clickstudios.com.au/community/index.php?/topic/1465-changing-the-passwordstate-url/





Part Four: Using an Online Certificate Authority

There are business online that you can use which will issue you the most secure type of certificate for your Passwordstate website, but these do come at a cost.  The certificates can either come with a static DNS name or for a little more money you can buy a wildcard certificate.  Click Studios are not affiliated with any online certificate authorities, and therefore would prefer not to recommend any of these over another one.


We'd recommend Googling online certificate authorities and making your own decision on who to go with.



* Most secure type of certificate that all browsers will accept without issue

* Best end user experience if access Passwordstate from inside, or outside your own network, and from non domain joined machines



* There is a cost involved with these types of certificates


When to Use:

* Can be used in Passwordstate under all circumstances, whether you are a big or small company, and if you are accessing Passwordstate from anywhere

* Ideal for using when accessing Passwordstate outside your own network, or from non domain joined machines

* wild card certificates can also be reused for other Passwordstate features, like the Browser Based Gateway, the Self Destruct Site or maybe the Mobile website

* If you are an MSP, and intend on using the Browser Based Gateway with multiple Remote Sites across the internet, a wildcard certificate of this type is required.  This will allow you to RDP and SSH into remote networks, for more information about this, please request advice from Click Studios Support.


Links related to Online Certificate Authorities

Changing the Passwordstate URL to something custom: https://www.clickstudios.com.au/community/index.php?/topic/1465-changing-the-passwordstate-url/



If you still have any questions about any of the information above, please log a support call with Click Studios on support@clickstudios.com.au






Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...