Option 1: Using a Free SSL Certificate (StartSSL)

The encryption of traffic already works after initially installing PRTG. To avoid the browser warnings you must install a "trusted certificate". This article explains how you can do this for free by getting a "StartSSL" certificate from StartCom (http://cert.startcom.org/). Their "Class 1 certificates" are domain and/or email validated only and the process is performed mostly by electronic and automatic means. This enables StartCom to waive fees for this type of certification. Thanks, StartCom!

Only Suitable for DNS Names

Important: "StartSSL Free" certificates only work for DNS names, not IP addresses. This means you must have control over the top level domain that you want to create a certificate for. You must have access to specific email addresses hosted at this domain. If you want a trusted certificate for a PRTG installation on a private LAN which is only accessible via private IP address, please consider switching to a DNS name or consider using a certificate from Comodo InstantSSL. They provide certificates for IP addresses, too (see other answers for this question).

Getting started

You have to go through the following steps in order to request and use a free StartCom SSL certificate with PRTG 7:

1. Create a StartSSL account.
2. Validate your domain name.
3. Create a private create key and a server certificate.
4. Decrypt your private key.
5. Copy your new files to the PRTG installation and restart PRTG server services.
6. Keep your files when upgrading.

Step 1: Create a StartSSL Account

• Note: Please use Mozilla Firefox for the following procedure (StartSSL's website uses Firefox specific features).
• Go to http://www.startssl.com/, navigate to the Products page and follow the link to sign up for a "StartSSL Free" account (URL https://www.startssl.com/?app=12 when this article was written). Click on the "Express Lane" option.
• Enter your name and registration details.
• You will receive an email with a verification code.
• After copying the code from the email into your browser a "client certificate" is created and stored in your browser. The client certificate is used for access to your login area at startssl.com (instead of username/password credentials). This is a bootstrapping certificate for authentication purposes. It has nothing to do with the server's certificate you'll be using later on.
• You should pay attention to the following instructions to back up this certificate to make sure you're not losing access to your StartSSL account.
• In Mozilla Firefox, select "Preferences" -> "Advanced" -> "Encryption" -> "View Certificates", choose the "Your Certificates" tab and locate your certificate from the list. The certificate will be listed under StartCom Ltd. with "StartCom Free Certificate Member" as its name if this is your first one. Select the certificate and click on "Backup", choose a name for this backup file, provide a password and save it at a known location. Now you should either burn this file to a CD ROM or save it on a USB stick or smart card. Thereafter, delete this file from your computer.

Once you have created your account, a server certificate at StartSSL.com is created in two steps: First, you validate your domain name (you must have control over the top level domain). Second, you generate a private server key and certificate.

Step 2: Validate Your Domain Name

• As the next step, enter the top-level domain name that you want to use later for validation (if you're not using Express Lane, you'll find this option in the Validations Wizard, Type: Domain Name Validation). At this point only the top-level domain is checked. You do not enter any sub domains, but merely the domain name itself.
• Select an email address for verification and run through the verification process.

Step 3: Create Private Key and Server Certificate

• As next step, you generate a private key for this domain name (if you're not using Express Lane, you'll find this option in Certificates Wizard, Certificate Target: Web Server SSL/TLS Certificate). Enter a key password, click continue and confirm validation.
• You will now see your SSL key (RSA Private Key).

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,5F7B697613040B0AB63F648B0412D433

qSRUYQFCDioscUXG0usQ9oZikAaWRDxWUxxyS7/y+Z1XwSvJCUsH8DBSGVlmFPoT
Hhvu9yOZ/u+N8meoaucF4vNcKzLcJMb78mn8TwPMMoX95MayQ4njTd+EmPbNliu+

[...]

+zgYMdEBs5IiyZ49NjyAhu5JEMka3WpcNmlr0kGfXV2sU+s0yjaL3L9ynjyyLnr
-----END RSA PRIVATE KEY-----

• Copy it, save it to a text file (ssl_key.txt) and continue. Note: This is the encrypted key you'll decrypt later on (you do not need to install OpenSSL for this).
• Click on Continue.
• Add Domains: Select your domain and continue.
• Enter a sub domain and continue (for the free product, you can only enter one sub domain).
• The Overview is shown. Continue.
• The PEM encoded certificate is shown.

-----BEGIN CERTIFICATE-----
MIIGujCCBaKgAwIBAgIDaQW1MA0GCSqGSIb3DQEBBQUAMIGMMQswCQYDVQQGEwJJ
TDEWMBQGA1UEChMNU3RhcaRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0

[...]

1+/ovdIGF9FkcaN/PwcBBU0kWaIcYBOBnYXtsXGajerNsgyjFcCpLjCsNCKseQ==
-----END CERTIFICATE-----

• Copy it and save it as prtg7.crt, using a text editor. Please note: When saving the file, enclose the filename in quotes to make sure that the extension .CRT is saved correctly (many text editors may want to save it as .TXT)!
• Right click the "Root CA certificates" link and choose "Save As" and save the file as "ca-bundle.pem" (this can also be done later on in the StartSSL "Control Panel"'s "Tool Box"). Rename the file to root.pem.
• Click on finish.

Step 4: Decrypt Private Key

• In the StartSSL Tool Box (you'll find it in the website's Control Panel), click on Decrypt Private Key and paste the SSL key you saved in Step 3 (ssl_key.txt). Enter your Passphrase and click on Decrypt.
• The decrypted key should now be displayed. Copy and save it as prtg7.key, using a text editor. Please note: When saving the file, enclose the file name in quotes to make sure that the extension .KEY is saved correctly (many text editors may want to save it as .TXT)!

Step 5: Copy the files into the /cert folder of your PRTG installation

• Copy the following files into the /cert subfolder of your PRTG Network Monitor installation (make a copy of PRTG's default certificates for backup purposes):
  • prtg7.crt (the certificate of your server)
  • root.pem (the root certificates of the issuer)
  • prtg7.key (private key of your server, decrypted)

• Open the PRTG Server Administrator and select "HTTPS/SSL on Port 443" for the Web Server Port setting.
• Now restart the PRTG Network Monitor Core service and access the website using HTTPS.
• You should also make a backup copy of your certificate files!

Step 6: When Upgrading PRTG Network Monitor

If you install a new version of PRTG Network Monitor the installer will detect your custom certificate files and may ask you whether it should overwrite those files. Please choose not to overwrite your certificate (V7.1 or later).

Applies to PRTG Network Monitor Version 7.2

Quick and Easy: Using an Existing (Wildcard) Certificate

If you already have a certificate that is certified for the (sub-) domain you are accessing the PRTG web interface from, you can use it with PRTG.

This is what you need

You need three files:

• Certificate of your server
• Root certificate(s) of the issuer (if there is more than one, please copy all of them into one root certificate text file, using a text editor - the order does not matter, just copy them together)
• Private key of your server, decrypted

Copy and rename the files

Once you have collected (or created) the files, copy them to the /cert sub-folder of your PRTG core installation (make a backup of the existing files in this folder for later recovery). Rename your new files as follows:

• prtg7.crt (the certificate of your server)
• root.pem (the root certificate of the issuer)
• prtg7.key (private key of your server, decrypted)

Final settings for PRTG

• Open the PRTG Server Administrator and select "HTTPS/SSL on Port 443" for the Web Server Port setting.

• Now restart the PRTG Network Monitor Core service and access the PRTG web interface using HTTPS.

Done!

When Upgrading PRTG Network Monitor

If you install a new version of PRTG Network Monitor the installer will detect your custom certificate files and may ask you whether it should overwrite those files. Please choose not to overwrite your certificate (V7.1 or later).

Option 4: Set Up Your Own Certification Authority

If you access your PRTG server from within your own domain only, you can consider setting up your own Certification Authority (CA).

Option 2: Using a Free Trial SSL Certificate (InstantSSL)

The encryption of traffic already works after initially installing PRTG. To avoid the browser warnings you must install a "trusted certificate". This article explains how you can do this by getting a certificate from Comodo InstantSSL. Apart from official paid-for certificates they also offer free 90-day-certificates that work well for PRTG 7.

Step 1: Install Open SSL

• Download and install “Win32 Open SSL Light” from http://www.shininglightpro.com/products/Win32OpenSSL.html. By default the OpenSSL files are installed into the c:\openssl folder.

• You also need to download and install Visual C++ 2008 Redistributables if you see this error upon installation: “The Win32 OpenSSL Installation Project setup has detected that the following critical component is missing: Microsoft Visual C++ 2008 Redistributables. Win32 OpenSSL will not function properly without this component. It is recommended that you install the missing component before clicking OK to continue.”.The files can be downloaded from: http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF

Step 2: Create your CSR (Certificate Signing Request)

• Open a command prompt (Start->Run->"cmd") and go to to the c:\openssl\bin folder where the openssl.exe is located (“cd c:\openssl\bin”).
• Enter the following command:

openssl req -new -nodes -keyout prtg7.key -out prtg7.csr -config openssl.cfg

• There will be a few questions for you to answer.
• The “Common Name” question is the most important: Here you must enter the domain name (or the IP address) that you want to securely use with the webserver of PRTG. Finally your screen should look like this:

C:\OpenSSL\bin>openssl req -new -nodes -keyout prtg7.key -out prtg7.csr -config openssl.cfg
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
..................++++++
.......................................++++++
writing new private key to 'prtg7.key'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuremberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paessler AG
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:prtg2.paessler.com
Email Address []:info@paessler.com

Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:.
An optional company name []:.

C:\OpenSSL\bin>

• Note: For more information see the InstantSSL website: http://www.instantssl.com/ssl-certificate-support/csr_generation/ssl-certificate-openssl.html

• You will now find two new files in the c:\openssl folder:
  • prtg7.key: contains a private key. Do not disclose this file to anyone!
  • prtg7.csr: This is your certificate request file which must be sent to the certification company.

Step 3: Request your certificate from instantssl.com

• Go to the InstantSSL website and choose “Free SSL Certificate” (which will give you a free certificate that will be working for 90 days) or choose one of the paid-for options.
• At the time of writing this article the URL for the free option was: http://www.instantssl.com/ssl-certificate-products/free-ssl-certificate.html. Click on “Get It Free Now”
• Open the prtg7.csr file which you created before in a text editor and copy and paste the full contents into the instantssl website (copy everything in the file including "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----").
• For “Select the server software used to generate the CSR” select “OTHER” and finally click on “Agree” at the bottom of the page.
• Depending on the type of certificate some sort of validation process is now performed by Comodo (e.g. you will receive emails with requests from them).

Step 4: Preparing the certificate files for PRTG

• As soon as the validation is checked by Comodo they will provide you with a ZIP file that contains one file with the name of your PRTG domain as well as a few other .crt files. In our sample the files were:
  • prtg2_paessler_com.crt (This is your server certificate)
  • AddTrustExternalCARoot.crt
  • ComodoUTNSGCCA.crt
  • EssentialSSLCA_2.crt
  • UTNAddTrustSGCCA.crt
• Rename the first file (the server certificate file) to prtg7.crt
• Open all other files in a text editor and combine the contents of all files into one file and save it as root.pem (simply copy them into one file, the order is not relevant).

Step 5: Copy the files into the /cert folder of your PRTG installation

• Copy the following files into the /cert subfolder of your PRTG Network Monitor installation (make a copy of the existing demo certificates for backup purposes):
  • prtg7.crt (the certificate of your server)
  • root.pem (the root certificates of the issuer)
  • prtg7.key (pivate key of your server)
• Open the PRTG Core Administrator tool and select "HTTPS/SSL on Port 443" for the Web Server Port setting.
• Now restart the PRTG Network Monitor core service and access the website using HTTPS.
• You should also make a backup copy of your certificate files!

Step 6: When Upgrading PRTG Network Monitor

If you install a new version of PRTG Network Monitor the installer will detect your custom certificate files and may ask you whether it should overwrite those files. Please do not overwrite your certificate (V7.1 or later).

Option 3: Using a Certificate from a Microsoft CA Server

The encryption of traffic already works after initially installing PRTG. To avoid the browser warnings you must install a "trusted certificate". The following article outlines how to install a custom certificate from a Microsoft CA server in order to work with PRTG 7. For these purposes a valid certificate needs to be generated and the respective functionality needs to be activated for PRTG. This process is outlined below.

Install Root Certificate

• Install your Microsoft CA Root certificate on all machines that will access the PRTG web interface URL

Create a Server Certificate

• Go to your Microsoft CA server's web interface using Internet Explorer
• Create a certificate from the Web Server template
• Ensure 'Mark keys as exportable' is checked
• Enter the hostname part of the URL you will access the PRTG web interface with for the 'Friendly Name:' field
• Click on 'Submit'
• Click the 'Install this certificate' link after the request is submitted

Export Certificates and Key

• On the machine you just installed the certificate on, go to: Start->Run, type 'certmgr.msc' and click 'Ok'
• Expand the 'Personal' folder
• Expand the 'Certificates' folder
• Right-click the newly created certificate in the right-hand frame
• Go to 'All Tasks->Export'
• Click 'Next'
• Choose 'Yes, export the private key'
• Click 'Next'
• Choose 'Personal Information Exchange - PKCS #12 (.PFX)' file export (if not selected already)
• Ensure the only box checked is 'Include all certificates in the certification path if possible'
• Click 'Next'
• Enter and confirm a new password for the certificate key
• Click 'Next'
• Specify the file name to save to as 'prtg.pfx'
• Click 'Next'
• Click 'Finish'
• Click 'Ok'

Extract Key

• Download and extract the OpenSSL certificate utilities for windows from: http://download.kerio.com/dwn/kms/sslcert.zip
• Place the 'prtg.pfx' certificate file created above in the same directory as the OpenSSL utilities
• Run: openssl pkcs12 -in prtg.pfx -nocerts -out prtg-temp.key
• At the "Enter Import Password:" prompt enter the password created above
• At the "Enter PEM pass phrase:" and verify prompts, enter the same password
• Run: openssl rsa -in prtg-temp.key -out prtg.key
• At the "Enter PEM pass phrase:" prompt enter password, as above
• Delete the prtg-temp.key file

Extract the Server and Root Certificate

Server Certificate

• Run: openssl pkcs12 -in prtg.pfx -out prtg.pem
• At the "Enter Import Password:" prompt enter the password you created above
• At the "Enter PEM pass phrase:" and verify prompts, enter the same password
• Open the 'prtg.pem' file using a text editor
• Find the FIRST instances of '-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----' (there will be 2 or more instances)
• This should be your server certificate.
• Check the CN= value in the subject= line above '-----BEGIN CERTIFICATE-----' to confirm this
• Delete everything in the file before the FIRST instance of '-----BEGIN CERTIFICATE------' and everything after the FIRST instance of '-----END CERTIFICATE-----'

Your file should look like this:

-----BEGIN CERTIFICATE------

<random entries>

-----END CERTIFICATE-----

• Save the file as a new file entitled 'prtg.crt'

Root Certificate

• Open the 'prtg.pem' file anew using a text editor
• Find the SECOND instances of '-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----'
• This should be your CA root certificate
• Check the CN= value in the subject= line above '-----BEGIN CERTIFICATE-----' to confirm this
• Delete everything in the file before the SECOND instance of '-----BEGIN CERTIFICATE------' and everything after the SECOND instance of '-----END CERTIFICATE-----'

Your file should look like this:

-----BEGIN CERTIFICATE------

<random entries>

-----END CERTIFICATE-----

• Save the file as a new file called 'root.pem'
• Delete the prtg.pem file

Move the Certificates and Related Files

Copy the following files into the /cert subfolder of your PRTG Network Monitor installation (make a copy of the existing demo certificates for backup purposes):

• prtg7.crt (the certificate of your server)
• root.pem (the root certificates of the issuer)
• prtg7.key (pivate key of your server)

Activate the Secure Web Server

• On you PRTG machine, start the 'PRTG Server Administrator' application from within your Windows' START menu
• Under the 'Web Server' tab, check the 'HTTP/SSL on port 443)' checkbox.
• Click 'Ok'

Your certificate should now be installed and configured properly in order to work with PRTG Network Monitor 7.