The remote certificate is invalid

Kinetic ERP
21

Here are the steps I go through to replace my certificate for Kinetic. Maybe this will help you.

Create Certificate Request in IIS.

Use the CSR to request a new certificate

Download the new certificate from the certificate authority.

NOTE- Before installing the new certificate, you must be prepared to complete ALL the following steps. Failure to complete ALL the steps may prevent the Kinetic app pool from restarting. Since the app pools will be recycled during this process, it is recommended to complete this process when it is unlikely to disrupt users.

Install the new certificate on the server using the Complete Certificate Request… function. Give the new certificate a friendly name that allows you to distinguish from the certificate being replaced.

Open the Epicor Administration Console

Open the properties of the Kinetic server (NOT the app pool).

Click the … button to change the certificate to the new certificate and save changes.

Open Application Server Configuration

Switch to the Extensions > Enterprise Search tab.

Click the … to change the SSL Certificate.

Click Deploy, then OK.

Close Epicor Administration console

In IIS Manager - delete the certificate that is being replaced.

Cycle the app pools on the server to make sure that they restart.

IIRC, Kinetic can get confused if there are multiple certificates with the same subject name. I recommend you delete the expired cert.

1 Like
22

ALL will need to be added to Root Trusted Authority on workstations attempting to access this resource AND these generated certificate files will need tied to IIS bindings.

Here is bash ‘one-liner’ with open SSL example good for 10 yrs :stuck_out_tongue: :

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
  -nodes -keyout server.internal.domain.key -out server.internal.domain.crt -extensions v3_req -config \
  <(echo "[req]";
    echo "distinguished_name = req_distinguished_name";
    echo "x509_extensions = v3_req";
    echo "prompt = no";
    echo "E = webmaster@server.internal.domain";
    echo "[req_distinguished_name]";
    echo "C = Country eg: US";
    echo "ST = State eg: Washington";
    echo "L = Locality eg: City";
    echo "OU = Org Unit eg: My Company IT Department";
    echo "O = Organization eg: My Company, Inc.";
    echo "CN = server.internal.domain";
    echo "[v3_req]";
    echo "keyUsage = critical, digitalSignature, keyEncipherment";
    echo "extendedKeyUsage = serverAuth, clientAuth";
    echo "subjectAltName = @alt_names";
    echo "[alt_names]";
    echo "DNS.1 = server.internal.domain";
    echo "DNS.2 = *.server.internal.domain";
    ) \
  -subj "/CN=server.internal.domain"

cat server.internal.domain.crt server.internal.domain.key > server.internal.domain.pem

Powershell (requires PKCSv2.1+) example:

param (
     [Parameter()]
     [string]$certname=$($env:COMPUTERNAME),  ## Identify the Host this cert is being generated for if not supplied.
     [Parameter()]
     [string]$dnsname=$($env:COMPUTERNAME+"."+$env:USERDNSDOMAIN ) ,  ## Build a fqdn we hope if one is not supplied.
     [Parameter()]
     [string]$pwd = "Please set a password!",
     [Parameter()]
     [string]$path = "C:\certs"  ## Default path to store generated certificate(s)
     )

$dnsname = $($dnsname).ToLower()
$mypwd = ConvertTo-SecureString -String $pwd -Force -AsPlainText  ## Private Key password
$cert = New-SelfSignedCertificate -Subject "CN=$certname" -CertStoreLocation "Cert:\localmachine\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -DnsName $dnsname -NotAfter (Get-Date).AddYears(2)  
Export-Certificate -Cert $cert -FilePath "$path\lm_$certname.cer"   ## Specify your preferred location
Export-PfxCertificate -Cert $cert -FilePath "$path\lm_$certname.pfx" -Password $mypwd   ## Specify your preferred location
$certfile = (Get-ChildItem -Path "$path\lm_$certname.cer")
$certfile | Import-Certificate -CertStoreLocation cert:\LocalMachine\Root ## Install into Trusted Root
Echo ""
Echo "Please remember to install into IIS and set the bindings for SSL and attach to this cert."

Powershell (openssl3) example: (EDITED to add export to pfx which will import into IIS correctly)

$configFile=@'
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
E = webmaster@server.internal.domain
[req_distinguished_name]
C = US
ST = State
L = City
OU = Org Unit
O = Org, Inc.
CN = server.internal.domain
[v3_req]
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = server.internal.domain
DNS.2 = *.server.internal.domain
'@

$configFile | Out-File -Encoding UTF8 server.internal.domain.config.txt
cmd.exe /c "openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout server.internal.domain.key -out server.internal.domain.crt -extensions v3_req -config server.internal.domain.config.txt"
cmd.exe /c "openssl pkcs12 -password pass:MySuperSecretPassword -nomac -keypbe PBE-SHA1
-3DES -certpbe PBE-SHA1-3DES -export -out server.internal.domain.pfx -inkey server.internal.domain.key -in server.internal.domain.crt"
Get-Content server.internal.domain.crt, server.internal.domain.key | Set-Content server.internal.domain.pem

ALL of these should work as I have USED all of them to create self-signed certs for various projects/needs. This should only be used IF you cannot use something like Let’s Encrypt

All of these create the key element needed to work properly when used for internal SSL encryption here it is:

image
image399×507 10.8 KB

2 Likes
23

Yes…everything seems to work if I’m on the server itself at the moment. Rebooting client machine now to see what happens…

24

You do not need to reboot the client machine only the browser needs restarted after installing the cert into Trusted Root Certification Authorities

1 Like
25

Simplest method to install cert to TRCA for Local Machine is:
Click lock in browser address bar (probably with red line through it) and (export/copy to file) the certificate to a local folder.
image
Locate the exported certificate file and (right click or double click to) install certificate
image
image
This will bring you to the Certificate Import Wizard
Click Local Machine then Next

image
image668×654 71.7 KB

Select Place all certificates in the following store then browse button
image
image668×654 52.6 KB

Select Trusted Root Certificated Authorities then OK
image
Then Finish
image
image668×654 42.4 KB

if everything went successfully/as desired…
image
Click OK

Last step will be to restart your browser:
Edge address restart: (type into address bar)

edge://restart

Chrome address restart: (type into address bar)

chrome://restart

Firefox click restart button in profiles page at: (type into address bar)

about:profiles
26

Just to be clear, if the certificate comes from a Certificate Authority that is already in the trust chain (Let’s Encrypt, DigiCert, etc.) then this step is not necessary, like Clint says above.

2 Likes
27

If you plan to use Postman with a self-signed cert, then you’ll have to make more adjustments there too. If you use any third party connections (Azure, I assume Workato, etc.), then you’ll have to copy your cert to those services as well.

And do this every time you refresh the cert.

2 Likes