Managing SSL Certificates

Prerequisites

An SSL certificate in PKCS #12 format (.pfx or .p12 extensions) obtained from an approved authority. A private key must be assigned to the certificate. This key will be used as your password when configuring your certificate.
Both Certificate Management Tool and the certificate must be copied to the Sagitta Web Services server to function properly.

About the Certificate Management Utility

The instructions in this document describe how to install and configure a certificate to a Sagitta Web Services server. You can use this utility to:

Use the Install feature to set up a certificate for the first time on a server by installing and configuring it for use by Sagitta Web Services. The utility installs a certificate new to the server and updates the Sagitta Web Services server web.config files.
Configure a certificate that already exists on the server (possibly in use for a different purpose than for Sagitta Web Services). The Configure feature updates certificates already installed on that server for use by Sagitta Web Services.

Both features update the Sagitta Web Services web.config files with the appropriate thumbprints and add the correct permissions.

Once you have obtained a certificate from an approved authority and copied it to your Sagitta Web Services server (or made it available on a network drive), follow the instructions in the Install a New Certificate section in the pages below.

If you already have a certificate on the server but it is not currently configured for use with Sagitta, then follow the instructions in the Configure Certificates section.

Important File Management Information

Sagitta Certificate Management Utility

The utility is delivered in the Sagitta Web Services Server install folder:

/[current release]/Install/CertificateManagement.exe
The CertificateManagement.exe file is the program file for the Sagitta Certificate Management utility. The file resides in the install folder when you download the Web Services Server install package from My Vertafore. You can copy the CertificateManagement.exe and CertificateManagement.exe.config files to a different location on the web services server, but please be aware that the utility will be updated with the latest version of Sagitta Web Services Server in future releases. The following uses and changes will require knowledge of its location:
- Access this file the first time you establish and configure an SSL Certificate on your Sagitta Web Services server.
- Access this file again when your certificate expires. You can rerun the process with a replacement certificate when needed.
- If Vertafore updates the utility, then it will become necessary to replace the existing version of the utility.

Web.Config Files

The Sagitta Certificate Management utility places copies of the InternalVF and InterfaceWSV2 web.config files in the following folder:

C:\ProgramData\Sagitta Certificate Management\WebConfigArchives

The utility places copies of web.config files in the above location while installing the certificate and before any configuration changes are made so you have a backup copy of the web.config file here if needed.

Install a New Certificate

Use the Install feature in the management utility to install and configure a certificate new to the server.

Right click on the Certificate Management Tool ([current release]/Web Services Server/Install/CertificateManagement.exe) and choose Run as administrator.

Running the utility as an administrator is critical to assigning permissions correctly.

Click Browse to locate and select your certificate to populate the Certificate Path field.
In the Password field, enter the password—this is the private key assigned to the certificate.
Click Install. The system displays a confirmation dialog when the install is successful.

Once successfully installed, your SSL certificate is be visible on Microsoft Windows Server Console Root on the server.

Configure Certificates

Use the following steps to configure certificates that reside on your Sagitta Web Services server but are not currently being used to support Sagitta. The Configure feature in the Sagitta Certificate Management tool allows you to configure these certificates for use with Sagitta.

Access the [current release]/Web Services Server/Install/CertificateManagement.exe to launch the Sagitta Certificate Management program and Run as administrator.

Running the utility as an administrator is critical to assigning permissions correctly.

When the Sagitta Certificate Management utility displays, locate and select the certificate you intend to configure then click Configure on its corresponding line in the grid.
When the Do you want to configure Sagitta Web Services with this certificate? dialog displays, click Yes.

When the process has successfully completed, a confirmation dialog displays:

The utility updates the InternalVF and InterfaceWSV2 web.config files automatically with the correct thumbprints to match this certificate and applies the correct permissions to this certificate.

Error Log

If any errors are displayed, click on the Logs link to read more details recorded for the error.

A new log file is created from the Installation. The log file name is Sagitta Web Services Server Installation with the installation date and time and can be found here: C:\ProgramData\Sagitta Certificate Management\Log.txt.

Delete a Certificate

Use the steps below to delete a certificate that you no longer need to use in support of Sagitta Web Services.

1. Access the Sagitta Certificate Management utility.

2. When the Sagitta Certificate Management utility displays, locate the certificate you intend to delete then click Delete on its corresponding line in the grid.

When successful, a message displays that the deletion was successful and an entry will be added to the Log file. When you delete a certificate through this process, the utility removes the certificate from the root of the Web Services server Console.

The matching thumbprints in the InternalVF and InterfaceWSV2 web.config files are not removed.

Find Details About Existing Certificates

Use the Web Services Certificate Information section in Sagitta to review details about the certificate on your Web Services Server used to access Vertafore Services. This information has been made available as of Sagitta 2016.

When an error occurs when retrieving certificate information from a Web Services server, it displays at the top of the page as well as within the Certificate Information Section.

There will also be a warning displayed if the installed certificate is about to expire within 30 days.

Certificate Troubleshooting

Administrators can resolve certain errors. Check the table below for error codes and messages and their corresponding action items.

Code	Message	Problem description	What to do?
N/A	Web Services Server certificate expires in X day(s).	Certificate being used by InternalVF and InterfaceWSV2 is about to expire.	Renew your current SSL certificate before the expiration date.
SAG_WS_CERT_004	Web Services Server certificate has expired. You will no longer have access to Vertafore Services.	This error happens when both certificates are returned for each service but expiration date has passed.	Renew your current SSL certificate ASAP.
SAG_WS_CERT_005	Certificate Thumbprints for InternalVF and InterfaceWSV2 do not match. Please contact Vertafore Support.	The certificate thumbprints do not match from either service. One of the thumbprint values is invalid.	Check the thumbprints in each web.config (InternalVF and InterfaceWSV2) to ensure they are the same and match the SSL Certificate.
SAG_IVF_CERT_006	web.config of InternalVF is not configured with a Thumbprint.	The web.config of InternalVF is not configured with a thumbprint so therefore it cannot return certificate information.	Add the thumbprint of the certificate in the web.config file of the InternalVF.
SAG_IWS_CERT_008	web.config of InterfaceWSV2 is not configured with a Thumbprint.	The web.config of InterfaceWSV2 is not configured with a thumbprint so therefore it cannot return certificate information.	Add the thumbprint of the certificate in the web.config file of the InterfaceWSV2.
SAG_IVF_CERT_007	Certificate not found for the Thumbprint in web.config of InternalVF.	The certificate for thumbprint in InternalVF was not found in the certificate store. The thumbprint that is in the web.config of InternalVF does not match the certificate thumbprint.	Either the certificate is not installed or the thumbprint is not correct. Please install the correct certificate or correct the thumbprint in web.config of InternalVF so that it matches the certificate thumbprint.
SAG_IWS_CERT_009	Certificate not found for the Thumbprint in web.config of InterfaceWSV2.	The certificate for thumbprint in InterfaceWSV2 was not found in the certificate store. The thumbprint that is in the web.config of InterfaceWSV2 does not match the certificate thumbprint.	Either the certificate is not installed or the thumbprint is not correct. Please install the correct certificate or correct the thumbprint in web.config of InterfaceWSV2 so that it matches the certificate thumbprint.
SAG_IWS_CERT_010	Web.config of InternalVF and InterfaceWSV2 are not configured with Thumbprints.	Both web.config files of InternalVF and InterfaceWSV2 do not have a thumbprint in the thumbprint value.	Add correct certificate thumbprints in the web.config files of InterfaceWSV2 and InternalVF.
SAG_IWS_CERT_011	Certificate not found for Thumbprints in web.config of InternalVF and InterfaceWSV2.	The thumbprint in the web.config for both InternalVF and InterfaceWSV2 could not find a certificate.	Make sure the certificate is installed and has the right permissions. Verify the correct certificate thumbprint values are in the web.config files of InterfaceWSV2 and InternalVF.