Spiceworks comes packaged with a self-signed SSL certificate that is automatically setup and usable after install. This certificate allows for https connections, but has not been signed by a public (trusted root) certificate authority. While this is fine for most folks, you may want to add a signed SSL certificate obtained from a public/trusted root Certificate Authority (CA).
This article serves as a step-by-step guide – a fairly simple process for creating and configuring Spiceworks to use your SSL certificate.
Admins and end users connecting via https to your local Spiceworks installation see a security error like:
Your connection is not secure
There is a problem with this website’s security certificate.
in their browser.
Prepare the server
Backup existing certificate and httpd.conf
It’s always a good idea to back up config files, right? The same is true when working with the httpd.conf file from your Spiceworks installation. Also, you’ll want to keep backup copies of the current SSL certs in case things go sideways.
To start, head over to
C:\Program Files (x86)\Spiceworks\httpd\conf and copy the
httpd.conf file to a safe location (Desktop, Documents, etc.). Note: Your installation path may be different.
Next, head to the
\Spiceworks\httpd\ssl folder and do the same for the
Next, we’ll need to install OpenSSL. Why? OpenSSL provides a straightforward way to generate a private key and a certificate signing request (CSR).
Nowadays, openssl.org doesn’t provide a Windows installer directly, but they do list a few places here: https://wiki.openssl.org/index.php/Binaries.
After you’ve installed OpenSSL you may need to set an environment variable within Windows. To do that, run the following in a command prompt:
C:\OpenSSL-Win32 is the installation directory of OpenSSL).
Get the cert(s)
Generate a private key
Now it’s time to generate a private key.
First, bring up a command prompt and run the following command:
openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out request.csr
2048-bit RSA keys are most common, but you may want to check with the CA you’ve chosen.
One important thing to note is the
-nodes parameter. This means “no DES encryption.” Why? Apache on Windows requires an unencrypted private key. Using DES will bork this process.
Your private key will likely be in the
C:\OpenSSL directory or in the
Fill out CSR info
Once the private key has been generated, you’ll be asked to fill out a bit of info. This is for the CSR you’ll be sending to your CA.
If you’re not sure what to enter for these prompts, you’ll want to contact your CA.
NOTE: The common name MUST be the fully qualified domain name (FQDN) of the Spiceworks host. For example:
Your CSR file will likely be created in the
C:\OpenSSL directory or in the
Send your CSR to your CA
You’ll need to send your CSR to your CA. Normally, you do this via your CA’s web portal but that can vary based on your CA. As with the other steps, ask your CA if you’re in doubt.
When you upload/send the CSR to your CA, specify that you’ll be using the cert with an Apache web server.
Download your certificate
Your CA should send your certificate to the email address you specified when creating your CSR. You should also be able to download the cert from your CA’s web portal.
If you’re downloading the certificate from your CA’s web portal, you’ll likely have a number of different download options. In most cases, you’ll want to choose the Apache option. Don’t see an option to download for Apache? Check with your CA!
Download the intermediate certificate
Some CA’s require an intermediate certificate in addition to the primary SSL certificate. It’s always a good idea to check with your CA on whether you need to do this step.
Most likely, you’ll download the intermediate certificate along with your primary SSL certificate (if you downloaded it via your CA’s web portal).
Again, if you’re not sure about this step contact your CA. Not knowing whether you need an intermediate certificate or not can cause a lot of frustration in the next few steps.
Install the cert(s)
Copy your certificate(s) and primary key to Spiceworks
Depending on your CA, you may have one or two certificates to drop into place.
Note: At this point you’ll need to shutdown Spiceworks and keep it offline until the you’re finished with the entire process.
If your CA doesn’t require an intermediate certificate, you’ll want to copy your SSL certificate to the
C:\Program Files (x86)\Spiceworks\httpd\ssl folder. Then, rename the certificate to
If your CA requires an intermediate certificate as well, follow the step mentioned above and then copy your intermediate certificate to the
C:\Program Files (x86)\Spiceworks\httpd\ssl directory and rename it to
Note: This is probably the single-most confusing part of the process. If you don’t know which certificate is the primary and which is the intermediate, contact your CA. They’ll be able to tell you and it will save you the headache of trial and error.
Finally, copy your private key over to the
C:\Program Files (x86)\Spiceworks\httpd\ssl folder and rename it to
Edit the http.conf file
Skip this step if you don’t have an intermediate certificate.
Head over to
C:\Program Files (x86)\Spiceworks\httpd\conf and open the
Toward the bottom of the file, you’ll see the following lines:
<VirtualHost *:443 > SSLEngine on SSLOptions +StrictRequire SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite HIGH:!ADH SSLCertificateFile "ssl/ssl-cert.pem" SSLCertificateKeyFile "ssl/ssl-private-key.pem" </VirtualHost>
We’ll want to add the following line just before the </VirtualHost> line: SSLCertificateChainFile “ssl/ssl-intermediate.pem”
So, when you’re finished, you should have:
<VirtualHost *:443 > SSLEngine on SSLOptions +StrictRequire SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2 SSLCipherSuite HIGH:!ADH SSLCertificateFile "ssl/ssl-cert.pem" SSLCertificateKeyFile "ssl/ssl-private-key.pem" SSLCertificateChainFile "ssl/ssl-intermediate.pem" </VirtualHost>
Now, save the
Finish things up
Now, all you need to do is start Spiceworks. If the app won’t start, shutdown Spiceworks, restore the original certificate files and httpd.conf file to get back online with the original cert, and read back through the steps and see if you missed anything.
Most often, problems stem from renaming the incorrect files. For example, you may have renamed the primary certificate to
ssl-intermediate instead of
ssl-certificate by accident.
If the app starts, you’re good to go. Confirm you see a “secure lock icon” in your browser when accessing Spiceworks via https.
Create another backup
When updating Spiceworks in the future, it will be necessary to drop in the certificate files and
httpd.conf file in place again.
To avoid headaches, go ahead and create a backup of the
httpd folder and save it someplace outside of the Spiceworks installation directory.
Then, during the next Spiceworks update you can just drop a backup of the
httpd folder back into place.