This article applies as of PRTG 22

Using a free trial SSL certificate (InstantSSL)

The encryption of traffic already works after you installed PRTG. To stop the browser warnings, you must install a trusted certificate. This article explains how you can do this with a certificate from Comodo InstantSSL. Apart from fee-based certificates, they also offer free 30-day-certificates that you can use for PRTG.

Step 1: Download the PRTG Certificate Importer

The PRTG Certificate Importer automatically combines and converts all files issued by a certificate authority (CA) for the use with PRTG. It also saves the certificate files to the correct path on your PRTG core server.

Step 2: Install OpenSSL

• Download Win32 OpenSSL here and install it. By default, the OpenSSL files are installed to the folder C:\Program Files (x86)\OpenSSL-Win32\.

• If you see this error upon installation, you must also download and install Visual C++ 2008 Redistributables:

"The Win32 OpenSSL Installation Project setup has detected that the following critical component is missing: Microsoft Visual C++ 2008 Redistributables. Win32 OpenSSL does not function properly without this component. We recommend that you install the missing component before clicking OK to continue." Download the files here.

Step 3: Create your CSR (Certificate Signing Request)

• Open a command prompt and go to to the C:\Program Files (x86)\OpenSSL-Win32\bin folder where the openssl.exe is located. You can do this by typing cd C:\Program Files (x86)\OpenSSL-Win32\bin.
• Enter the following command:

openssl req -nodes -newkey rsa:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg

• Answer the questions that appear in the command prompt.
• The Common Name question is the most important: Here, you must enter the domain name or IP address that you want to securely use with the PRTG web server. Your screen should look like this:

C:\Program Files (x86)\OpenSSL-Win32\bin>openssl req -nodes -newkey rsa:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg
Loading 'screen' into random state - done
Generating a RSA private key
..................++++++
.......................................++++++
writing new private key to 'prtg.key'
-----
You are about to be asked to enter information that is incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are several fields, but you can leave some of them blank.
For some fields, there is a default value,
If you enter '.', the field is left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Nuremberg
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paessler AG
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:prtg.paessler.com
Email Address []:[email protected]

Enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:.
An optional company name []:.

C:\Program Files (x86)\OpenSSL-Win32\bin>

• Note: For more information, see the Comodo website. Make sure to follow Comodo's guideline when you generate your CSR:

When generating your CSR, also make sure to enter your details as follows:
Country Name: US
State or Province Name: NJ
Locality Name: Jersey City
Organization Name: Comodo
Common Name: www.domain.com

• There are now two new files in the C:\Program Files (x86)\OpenSSL-Win32\bin folder:
  • prtg.key: Contains a private key. Do not disclose this file to anyone.
  • prtg.csr: This is your certificate request file that must be sent to the CA.

Step 4: Request your certificate from instantssl.com

• Go to the InstantSSL website and select InstantSSL Trial Certificate. This gives you a free certificate that works for 30 days. Alternatively, you can select one of the other plans.
• Open the prtg.csr file in a text editor. Copy and paste all of the contents to the instantssl website (make sure to copy everything in the file, including -----BEGIN CERTIFICATE REQUEST----- and -----END CERTIFICATE REQUEST-----).
• For Select the server software used to generate the CSR select OTHER and click Agree at the bottom of the page.
• Depending on the type of certificate, Comodo starts a validation process and might send you emails with further instructions.

Step 5: Preparing the certificate files for PRTG

• As soon as the validation process is completed, Comodo provides you with a .zip file that contains one file with the name of your PRTG domain as well as a few other .crt files. In our sample, the files were:
  • prtg_paessler_com.crt (the server certificate)
  • AddTrustExternalCARoot.crt
  • ComodoUTNSGCCA.crt
  • EssentialSSLCA_2.crt
  • UTNAddTrustSGCCA.crt
• Save the certificate files to one directory, together with the private key that you obtained before.

If you have not done so yet, download the PRTG Certificate Importer to import these files correctly for PRTG. If you do not use the PRTG Certificate Importer, you must do the following:

• Rename the first file (the server certificate file) to prtg.crt.
• Open all other files in a text editor, combine the contents of all files into one file, and save it as root.pem (simply copy them to one file, the order is not relevant).

We do not recommend that you manually import certificates.

Step 6: Copy the files to the /cert folder of your PRTG installation

Use the PRTG Certificate Importer for this step. Open the PRTG Certificate Importer and follow these steps:

1. Provide the path to the downloaded certificate files and to the private key.
2. Finish if the validation was successful and switch PRTG to a secure HTTPS server in the PRTG Administration Tool section PRTG Web Server.

You can now access your PRTG web interface via HTTPS.

If you want to manually import the InstantSSL certificate:

• Copy the following files to the /cert folder of your PRTG Network Monitor installation (make a copy of the existing demo certificates as a backup):
  • prtg.crt (the certificate of your server)
  • root.pem (the root certificates of the issuer)
  • prtg.key (the private key of your server)
• Open the PRTG Administration Tool on the PRTG core server system. On the PRTG Web Server tab, select Secure HTTPS Server.
• Now restart the PRTG Network Monitor core server service and access the website via HTTPS.
• We recommend that you always back up your certificate files.

This article applies as of PRTG 22

Using a certificate from a Microsoft CA server

The encryption of traffic already works after you installed PRTG. To stop the browser warnings, you must install a trusted certificate. This article explains how to generate a custom certificate from a Microsoft CA server and how to activate the respective functionality in PRTG.

Install the root certificate

Install your Microsoft CA Root certificate on all machines that are to access the PRTG web interface URL. You can do so via GPO (Group Policy object). For details, see this link:

• Configure Group Policy to Autoenroll and Deploy Certificates

Create a certificate signing request (CSR)

Use Open SSL to create a CSR. For details, see the article about InstantSSL.

Create a certificate chain

1. Go to your Microsoft CA server's web interface via Internet Explorer.
2. On the Welcome page, select the task Request a Certificate.
3. On the Request a Certificate page, click Advanced Certificate Request.
4. You are now on the Submit a Certificate Request or Renewal Request page:
   1. Open the CSR you generated before, copy the content, and paste it into the Saved Request field.
   2. In the section Certificate Template, select Web Server.
   3. Click Submit.
      
      
      Step 4: Submit your Certificate Signing Request
      
5. On the Certificate Issued page, choose Base 64 Encoded and click Download Certificate Chain.

You can use the resulting certificate chain file (for example, *.p7b) with the PRTG Certificate Importer to install the trusted certificate on your PRTG core server.

Import the certificate

Use the PRTG Certificate Importer to import the certificate for PRTG:

• Download the PRTG Certificate Importer and run it.
• Provide the directory to the certificate chain that you downloaded from the Microsoft CA server.
• Start the import process.
• If the validation was successful, open the PRTG Administration Tool on the PRTG Core Server System and select Secure HTTPS Server on the PRTG Web Server tab.

You can now access the PRTG web interface via HTTPS.

This article applies as of PRTG 22

Quick and easy: using an existing (wildcard) certificate

If you already have a certificate that is certified for the (sub-) domain from which you access the PRTG web interface from, you can use it with PRTG.

What you need

• Certificate of your server (for example, xyz.example.com). You can usually download it from the supplier's web page.
• Root certificate of the issuer (if there is more than one, copy all of them into one root certificate .text file. The order does not matter.) You can usually download it from the supplier's web page.
• Private key of your server. You can usually download it from the supplier's web page or the supplier sends it to you.

Import the certificate

Use the PRTG Certificate Importer to install the wildcard certificate on your PRTG core server:

1. Download and run the PRTG Certificate Importer.
2. Provide the paths to your certificate files.
3. After the PRTG Certificate Importer has installed the certificate on your server, open the Setup | System Administration | User Interface and switch to Secure HTTPS server in the PRTG Web Server section.

You can now access the PRTG web interface via HTTPS.

Manual certificate import

Only go through the following steps if you do not use the PRTG Certificate Importer. Note that we do not recommend that you manually import certificates.

Converting and encrypting

Open your certificate files in a text editor. Make sure your certificates and key files are PEM-encoded. Look at the original PRTG certification files to get an idea what PEM-encoded files should look like. If necessary, use an SSL converter tool.

The private key must be decrypted. If the private key is encrypted (this is indicated in the file), use the private key file in combination with the password your issuer has provided you to generate another private key file that is not encrypted:

1. Download openssl.
2. In the command line, run: openssl rsa -in [encrypted-key].key -out prtg.key
3. At the Enter PEM pass phrase prompt, enter the password for the key.

Copy and rename the files

Once you have collected or created the files, copy them to the /cert subfolder of your PRTG program directory. We recommend that you back up the existing files in this folder for later recovery. If necessary, rename your new files as follows:

• prtg.crt (the certificate of your server)
• root.pem (the root certificate of the issuer)
• prtg.key (private key of your server, decrypted)

Final settings for PRTG

• Open the PRTG Administration Tool on the Core Server System and select Secure HTTPS Server on the Web Server tab.

• Restart the PRTG core server service. You can now access the PRTG web interface via HTTPS.

Set up your own certification authority

If you access your PRTG server from within your own domain only, you can consider setting up your own Certification Authority (CA).

In Regards to Option 3: Using a Certificate from a Microsoft CA Server

You must name the files prtg.crt and prtg.key or PRTG service will not start, it seem this was written down for all the other options apart from this one.

This article applies as of PRTG 22

Certificates for PRTG (Apache) from .pfx file

Use the PRTG Certificate Importer to install certificates from .pfx files on your PRTG core server.

1. Download and run the PRTG Certificate Importer.
2. Provide the path to your certificate files. You need the .pfx file (cert.pfx) and the intermediate (certification authority) CA bundle for Apache server (renamed to root.pem, for example).
3. After the PRTG Certificate Importer has installed the certificate on your server, open the Setup | System Administration | User Interface and switch to Secure HTTPS server in the PRTG Web Server section.

You can now access the PRTG web interface via HTTPS.

Note: An intermediate certificate is a subordinate certificate specifically issued by a trusted root to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, continues via the intermediate CA (or CAs), and ends with the SSL certificate issued to you. Such certificates are called chained root certificates. The root and intermediate CA certificates are contained in the ca-bundle file.

Manual certificate import from a .pfx file:

• Download Openssl software.
• Copy the .pfx file (cert.pfx) to your OpenSSL/Bin directory.
• Open OpenSSL in the command line.
• Type in the following command to transform your .pfx file into a .pem file: openssl pkcs12 -nodes -in cert.pfx -out keys.pem
• Go to your OpenSSL/Bin directory and locate the keys.pem file. Open it in a text editor.
• Locate the private key, which includes and is defined by the text -----BEGIN RSA PRIVATE KEY----- .... certificate contents .... -----END RSA PRIVATE KEY----- and copy it.
• Open a new text editor, paste the private key into the text editor, and save as prtg.key.
• Locate the SSL certificate, which includes -----BEGIN CERTIFICATE----- .... certificate contents .... -----END CERTIFICATE----- and copy the SSL certificate.
• Paste the SSL certificate to a new .text file and save it as prtg.crt.
• Download the intermediate CA bundle for Apache server. Save it as root.pem.
• Copy these three files to the \cert subfolder in the PRTG program directory.
• Restart the PRTG core server service.

Note: An intermediate certificate is a subordinate certificate specifically issued by a trusted root to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, continues via the intermediate CA (or CAs) and ends with the SSL certificate issued to you. Such certificates are called chained root certificates. The root and Intermediate CA certificates are contained within the ca-bundle file.

This article applies as of PRTG 22

Using a GoDaddy SSL certificate with PRTG

Find detailed information in the following article:

How to get a GoDaddy SSL certificate running with PRTG?

This article applies to PRTG Network Monitor 19 or later

Using a DigiCert SSL certificate with PRTG

Find detailed information in the following article:

How to get a DigiCert SSL certificate running with PRTG?

How different is the procedure in Option 3 in a clustered PRTG environment?

Both the master and failover use the same core and server software so you should be able to replace the certs on the failover the same way as the master and that should work.

If I access the PRTG server from my enterprise LAN and also from a public IP. Do I need to create 2 different certificates, one for the local IP and other for the public IP?

@jf_hernandevz: No you don't need separate certificates here, the same certificate is used for the whole web interface. The IP does not matter here.

Just to update this a little bit, browsers now require SSL certs to have Subject Alternative Names (SAN), that means your request (CSR) needs this info.

I am no expert on this, but just just a few issues getting a internal cert issued by my windows certificate authority (Windows CA).

Step 1, My CA was still windows 2008 (dont ask!), and only handing out sha1 (broswers see this as invalid), I installed a Windows 2016 CA, that defaulted to sha256

Step2, Download and install openSSL to generate a CSR, and do some other things.

Step3, make a config file for openssl

san.cfg [ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = countryName stateOrProvinceName = countryName localityName = localityName organizationName = organizationName commonName = FQDN [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = servername.domain.LOCAL DNS.2 = servername Change "servername" on the last 2 lines

Step 4, run some openSSL commands

:::creates a CSR. creates a private key
openssl req -out sslcert.csr -newkey rsa:2048 -nodes -keyout private.key -config san.cfg

:::this will prompt you for your windows CA, and output a cert (in the wrong format)
certreq -submit -binary -attrib "CertificateTemplate:WebServer" sslcert.csr blah.cer 

:::this will convert the cer to a pem (the correct format)
openssl x509 -inform der -in blah.cer  -out blah.pem

open blah.cer and blah.pem in notepad, and copy these to the PRTG Certificate Importer.

My sincere apologies and all due respect with Dirk and the creators of PRTG. One needs a Doctorate degree to understand how to install a secure certificate in PRTG when most modern systems makes it as simple as running 'certbot'. So I guess asking for simple instructions on how to install Let's Encrypt is out of the question and this item will be deleted by moderation?

Hello Alain,

We already have a the certificate importer which you can use to import the certificate into the PRTG. If you have a appropriate certificate and private key, it's exactly the 3 step process to deploy it.

1. Run the Certificate importer
2. Browse the certificate
3. Provide the Private key

Refer to the following link: https://www.paessler.com/tools/certificateimporter