TLS configuration Manual

version: 13.1.0.x
MorphoManager TLS Configuration Manual

Contents
Introduction ......................................................................................................................................3
Certificate requirements ...................................................................................................................3
Configure Manual Certificate binding mode .....................................................................................3
On the server machine ............................................................................................................................................. 3
On the client machine: .............................................................................................................................................. 3
MorphoManager Settings ........................................................................................................................... 4
Server Machine: ........................................................................................................................................................ 4
Client Machine: ......................................................................................................................................................... 5
Importing certificates ........................................................................................................................6
Determining the Fully Qualified Domain Name (FQDN) ...................................................................9
Creating your own certificates with OpenSSL .................................................................................10
Certificate Authority .................................................................................................................................. 10
Client and Server Certificates .................................................................................................................... 10

© Refer to End User License Agreement for Copyright Notice Page 2

MorphoManager TLS Configuration Manual

Introduction
MorphoManager 12 utilizes TLS 1.2 to encrypt communications between the server and client by
automatically generating self-signed certificates. Furthermore, if configured, customers can designate
their own certificates to accomplish these means as well as perform mutual authentication.

This guide is one example of how MorphoManager can be configured to use the Manual Certificate
Binding Mode.

Certificate requirements
The following is required for the certificate to pass validation:

1. The certificate exists in either the Personal or Trusted Root Certification Authorities collection
store
2. The certificate contains a private key
3. The certificate’s Key Usage Extension contains a Key Encipherment or Data Encipherment flag
4. The certificate’s Enhanced Key Usage Extension contains a valid Server Authentication value
(1.3.6.1.5.5.7.3.1)
5. If a CA certificate is used in Certificate validation:
a. The certificate authority thumbprint is of valid length (40)
b. The certificate authority thumbprint is of hexadecimal format
6. If certificate issuers need to match, you will have to ensure that both the certificates in the
certificate store came from the same source.

Configure Manual Certificate binding mode

It is possible to designate your own certificates for TLS encrypted communication.

On the server machine:

1. Import the Certificate Authority (CA) certificate into the Local Computer’s Trusted Root
Certification Authorities folder.
2. Import the Server Certificate into local computer’s Personal folder
3. Import the Client Certificate into local computer’s Trusted People folder.

On the client machine:

1. Import the CA certificate into the local computer’s Trusted Root Certificate Authorities folder
2. Import the Client Certificate into the local computer’s Personal folder
3. If you don’t explicitly grant access to the imported certificates private key, MorphoManager
must be ran as administrator, or it will not connect to the server. You can get around this by:
a. Adding permissions to the certificate, or
i. Right click on the imported certificate in the certificate store
ii. Under all tasks, click manage private keys
iii. Under Group or user names, click the Add button

© Refer to End User License Agreement for Copyright Notice Page 3

MorphoManager TLS Configuration Manual

iv. Type in “Authenticated Users” or a specific user

v. Click Apply
vi. Click OK
b. Importing the certificate into the Current User’s store instead of the Local Machine
store

MorphoManager Settings
Server Machine:
1. Open Advanced Server Configuration.
2. Set Certificate binding to Manual.
3. Add the imported server certificate’s thumbprint in Certificate Thumbprint.
4. Set Client Certificate Validation to Enforced.
5. Check the Match certificate issuers checkbox.

© Refer to End User License Agreement for Copyright Notice Page 4

MorphoManager TLS Configuration Manual

Client Machine:
1. Open Advanced Client Configuration.
2. Change Server Connection Type to Manually Specified.
3. Change the hostname to the server’s fully qualified machine name.
4. Set Certificate binding to Manual.
5. Add the imported client certificate’s thumbprint in Certificate Thumbprint.
6. Set Server Certificate Validation to Enforced.
7. Check the Match certificate issuers checkbox.

© Refer to End User License Agreement for Copyright Notice Page 5

MorphoManager TLS Configuration Manual

Importing certificates
1. Begin by locating the certificate to be placed in the certificate store. Right click on the certificate
and choose the Install PFX option.

2. A Certificate Import Wizard will appear. Under the Store Location option, select Local Machine
and click Next.

© Refer to End User License Agreement for Copyright Notice Page 6

MorphoManager TLS Configuration Manual

3. Specify the file to import. The location of you certificate should already be provided in the File
Name field space. Click Next.

4. Enter the certificate’s password. This is the password that should already be associated with the
certificate, not a new one. Check any additional import options that may be applicable. Click
Next.

© Refer to End User License Agreement for Copyright Notice Page 7

MorphoManager TLS Configuration Manual

5. Select which store the certificate will be imported to. You can choose to have the store
automatically selected, however, since MorphoManager will be expecting the certificate to
reside in the either the Personal store or the Trusted Root Certification Authorities store, select
the option that allows you to place the certificate to the store of your choosing and browse to
the required location. Click OK and then Next.

6. Finally, ensure that the information provided on the last screen is correct and click the Finish
button to begin the import process. Once complete a prompt will appear informing you that the
import was successful.

© Refer to End User License Agreement for Copyright Notice Page 8

MorphoManager TLS Configuration Manual

Determining the Fully Qualified Domain Name (FQDN)

1. Open the start menu.
2. Type “System” in the search field.
3. Select the System app to open it. This app can also be found in Control Panel.
4. The FQDN can be found next to Full Computer Name.

© Refer to End User License Agreement for Copyright Notice Page 9

MorphoManager TLS Configuration Manual

Creating your own certificates with OpenSSL

This is an example of how to create your own certificates with OpenSSL. The commands may be altered
to suit your needs.

These commands need to be used with OpenSSL v1.0.2.

OpenSSL can be downloaded here: https://www.openssl.org/source/

Create a Sub-folder called MorphoManager in the same directory as the OpenSSL.exe app. Launch
OpenSSL as an Administrator and run the following commands.

Certificate Authority
1. req -new -newkey rsa:1024 -nodes -out MorphoManager\MorphoManager.csr -keyout
MorphoManager\MorphoManager.key -sha512 -subj /CN=MorphoManager

2. x509 -trustout -signkey MorphoManager\MorphoManager.key -days 7500 -req -in

MorphoManager\MorphoManager.csr -out MorphoManager\MorphoManager.pem -sha512

3. Create a copy of the newly created MorphoManager.pem file in the MorphoManager folder and
rename the copy “MorphoManager.bin”

4. pkcs12 -export -nokeys -in MorphoManager\MorphoManager.bin -aes256 -out

MorphoManager\MorphoManager.p12 -passout pass:Admin
a. Note that you can put another password other than “Admin” if you wish

Client and Server Certificates

1. req -new -newkey rsa:1024 -nodes -keyout MorphoManager\server.key -out
MorphoManager\server.csr -sha1 -subj /CN=[Name of Server Machine]
a. Note that CN=[Name of Server Machine] must be changed to match the server machine

2. x509 -req -days 7500 -in MorphoManager\server.csr -CA

MorphoManager\MorphoManager.pem -CAkey MorphoManager\MorphoManager.key -
set_serial 01 -out MorphoManager\server.crt -sha1

3. pkcs12 -export -in MorphoManager\server.crt -inkey MorphoManager\server.key -out

MorphoManager\server.p12 -passout pass:Admin
a. Here again you can change the password from “Admin” to whatever you like

4. pkcs12 -in MorphoManager\server.p12 -out MorphoManager\server.pem -passin pass:Admin -

passout pass:Admin
a. Make sure if you used a different password than “Admin” previously that you change it
here too.

© Refer to End User License Agreement for Copyright Notice Page 10

MorphoManager TLS Configuration Manual

5. req -new -newkey rsa:1024 -nodes -keyout MorphoManager\client.key -out

MorphoManager\client.csr -sha1 -subj /CN=[Name of client Machine]

6. x509 -req -days 7500 -in MorphoManager\client.csr -CA MorphoManager\MorphoManager.pem

-CAkey MorphoManager\MorphoManager.key -set_serial 01 -out MorphoManager\client.crt -
sha1

7. pkcs12 -export -in MorphoManager\client.crt -inkey MorphoManager\client.key -out

MorphoManager\client.p12 -passout pass:Admin
a. Here again you can change the password from “Admin” to whatever you like

8. pkcs12 -in MorphoManager\client.p12 -out MorphoManager\client.pem -passin pass:Admin -

passout pass:Admin
a. Here again you can change the password from “Admin” to whatever you like

© Refer to End User License Agreement for Copyright Notice Page 11