How to Secure Your Passbolt Instance with an SSL Certificate on Windows

Introduction

When managing passwords, secrets and other sensitive data, security should always be a top priority. One of the most important steps in securing your passbolt instance is enabling SSL/TLS encryption. This ensures that all communication between users and the server remains private and protected from cyber threats.

If your passbolt instance runs without SSL, users may see browser security warnings, and sensitive data could be intercepted by attackers. Whether you are setting up a self-signed certificate for testing or configuring a certificate from a Certificate Authority (CA) for production, this guide will help you generate, configure, and install SSL certificates for passbolt on Windows.

What you will need?

Before we get started, ensure you have the following: 

• Windows client machine with administrator privileges.
  • Microsoft Management Console (MMC)
• sudo accesses to the passbolt server.
• Some tools required:
  • OpenSSL
  • SCP/SFTP client (e.g., scp, FileZilla)

IMPORTANT: This guide is considered a somewhat advanced method. Using this method assumes you are familiar with OpenSSL and have already generated other certificates. If you do not have experience working with MMC or OpenSSL, we recommend using the classic self-signed certificate configuration.

What is an SSL Certificate?

An SSL certificate (Secure Sockets Layer) is a digital certificate that encrypts the communication between a computer client utilized by end users and an internet server, ensuring data remains confidential. SSL certificates are essential for securing web applications like passbolt, preventing unauthorized access and data breaches.

For production environments, a certificate issued by a trusted CA is recommended. However, for internal or testing purposes, a self-signed certificate is a viable option.

What are the benefits of using an SSL certificate for your passbolt instance?

Using an SSL certificate isn’t just about security—it improves user trust, compliance, and data integrity. Here’s how:

• Encrypts sensitive data in transit - One of the main benefits of using an SSL certificate is protecting data. It encrypts passwords and sensitive information in transit. Even if a hacker tries to intercept data, they’ll only see garbled, unreadable text, making it impossible to extract useful information.
• Prevents Browser security warning - Modern browsers warn users when they try to visit a site that doesn’t have SSL enabled. This can create trust issues for teams using passbolt. With SSL, the browser will display a padlock icon in the address bar, signaling a secure and trusted connection.
• Protect against MITM attacks - A Man-in-the-Middle (MITM) attack occurs when a hacker intercepts communication between two parties to steal or alter the data being exchanged. With SSL, your passbolt instance is protected from these attacks because the certificate ensures that users are connecting to the real server—not a malicious imitation.

Generating an SSL Certificate on Windows

In this guide, we will show you how to create an SSL certificate on Windows. All you need to do is follow these steps:

Step 1: Open PowerShell as Administrator

Before proceeding, ensure you have administrative privileges.

• Click Start, type PowerShell, then right-click and select "Run as administrator".

Step 2: Create an information file with the certificate request details

Following the official Microsoft documentation, this information file is mandatory for any new certificate requests template. You can take a look at the dedicated table in their documentation with all the information. In our case, we will generate something like this.

[NewRequest]
Subject = "CN=passbolt.local, O=Passbolt SA, L=Esch-Sur-Alzette, ST=Esch-Sur-Alzette, C=LU"
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
RequestType = PKCS10

You can easily adapt this example following the official documentation, you can even add or remove some parameters depending on your needs.

• Subject
  • This provides the Distinguished Name (DN) that uniquely identifies the entity for which the certificate is being requested.
• KeySpec
  • It specifies the type of key to create. 1 typically indicates an exchange key, which is used for encrypting session keys. This value is often used for SSL/TLS certificates.
• KeyLength
  • It defines the length of the key in bits. 2048 bits is a standard length that provides a good balance between security and performance.
• Exportable
  • Indicates whether the private key can be exported. Setting this to TRUE allows you to export the key if needed, for example, to transfer it to another server or back it up.
• MachineKeySet
  • Specifies that the key should be associated with the machine rather than the user. This is important for server certificates that need to be accessible by the system.
• RequestType
  • Specifies the request type. PKCS10 refers to the Public Key Cryptography Standards #10, which is a standard format for certificate signing requests.

Step 3: Generate a private key and certificate request

When the information file has been written and saved, we will need to generate a private key and certificate request out of it.

certreq -new request.inf request.req

This creates a file called request.req, which Windows will use to generate the SSL certificate.

Step 4: Submit the Certificate Request and Export the Certificate

As the Certificate Authority (CA), you will need to approve the certificate request and then export the certificate.

certreq -submit request.req certificate.cer

Step 5: Convert the certificate to PEM format

When running the passbolt installation or reconfiguration command, the certificate needs to be in .pem format. We will convert the certificate to PEM using:

certutil -encode certificate.cer certificate.pem

Step 6: Export the Private Key

To use the certificate in passbolt, you also need the private key: 

1. Open the Microsoft Management Console (MMC).
2. Add the Certificates snap-in for the Local Computer account.
3. Navigate to the Personal > Certificates store.
4. Find the certificate issued from the request and export it along with the private key:
   1. Right-click the certificate, select All Tasks > Export.
   2. Follow the wizard to export the certificate and private key in PFX format.

Step 7: Convert the PFX File to PEM Format

Since we used the Microsoft Management Console to create the private key, you can export it in PFX format. We will convert it to PEM using OpenSSL in the following step.

openssl pkcs12 -in certificate.pfx -out certificate_and_key.pem -nodes

After converting the certificate, the final step before transferring it is to extract both the private key and the certificate in .pem format.

openssl pkey -in certificate_and_key.pem -out private.pem
openssl x509 -in certificate_and_key.pem -out certificate.pem

Now, you have both the certificate.pem and private.pem files, ready for use with passbolt!

Configuring Passbolt to Use the SSL Certificate

Now that we have the SSL certificate and private key, we need to configure passbolt to use them.

If you are performing a fresh installation of passbolt, follow the standard installation process which will include SSL configuration as part of the setup. If passbolt is already installed, you can reconfigure it to use the newly installed SSL certificate and the private key associated, following our manual HTTPS documentation.

OPTIONAL: Updating the CA certificates (If you're acting as your own CA)

If you're generating your own SSL certificate rather than using one from a trusted Certificate Authority (CA), you may need to update your system's CA certificate to ensure proper trust and validation.

Here's how to identify, copy and update your CA certificate on your own server. 

A CA certificate (Certificate Authority certificate) is a digital certificate issued by a trusted certificate authority. It is used to sign other certificates, thus establishing a chain of trust. When you create your own certificates for internal use, you often act as your own CA.

If you are acting as your own CA, you should have a CA certificate file, often named something like ca-cert.pem. If you do not have a separate CA certificate, you do not need to update the CA certificates on your Linux server.

If you have a CA certificate, copy it to the appropriate directory

sudo cp /path/to/ca-cert.pem /usr/local/share/ca-certificates/ca-cert.crt

Run the following command to update the CA certificates

sudo update-ca-certificates

Testing the configuration

After completing the setup, verify that the SSL certificate is correctly installed.

Server-Side Test

Run the following command to check if the SSL certificate is properly applied to the server:

openssl s_client -connect yourdomain.com:443

Client-Side Test

You should verify the SSL Certificate in your web browser to ensure that it is correctly installed and trusted.

1. Open your browser on the Windows machine and navigate to the fullBaseUrl.
2. Ensure there are no SSL warnings and that the certificate is properly applied.

Installing the Certificate on Windows Machines

If your certificate is not signed by a public CA, you will need to install the root CA certificate on all Windows machines that need to trust this SSL certificate.

Step 1: Import the Root CA Certificate into the Trusted Store

1. Open Microsoft Management Console (MMC).
2. Add the certificates snap-in for the computer account.
3. Import the root CA certificate into the "Trusted Root Certification Authorities" store.

Step 2: Import the Root CA Certificate

1. Expand Trusted Root Certification Authorities.
2. Right-click certificates and select Import.
3. Select your CA certificate and complete the wizard.

That's it. After completing these steps, Windows will trust your passbolt SSL certificate. Users that are on Windows can now generate, import and trust their certificate for passbolt using this guide.

Conclusion

Setting up an SSL certificate on Windows for passbolt is a crucial step in securing your password management system. By generating a certificate, converting it to the required format, configuring Nginx, and ensuring trust on Windows machines, you can establish a fully encrypted passbolt instance.

For production environments, consider obtaining an SSL certificate from a trusted Certificate Authority (CA) to avoid trust issues.

Feel free to reach out in the community forum if you have any questions or need help with a specific request.