Showing results for 
Search instead for 
Did you mean: 

CMSCDR TLSCertchain=server_cert.pem

05 Base Camper

CMSCDR TLSCertchain=server_cert.pem


For the CMSCDR config, from 11.7 to 12.2 it says that the configuration can be done in Windows Client and Web Admin. Which is the path to follow in the Web Admin to change that configuration?

For the specific content, where is server_cert.pem expetected to be located, and which is the expected content (full chain or only the server one) and format?

Thanks in advance


Re: CMSCDR TLSCertchain=server_cert.pem

Hi @ManuelC,


You're able to add a CMS cluster (and additional servers) to the Prognosis Monitoring server via the WebUI, but it looks like the CMSCDR entry can only be added via the Prognosis Windows Client by including an additional line in the configuration:


DEFINE HTTP_PROFILE (CMSCDR, port=<port-number>[, ssl=1][, {"TLSCertchain=<server-cert-key-combined.pem>" | "TLSCertThumb=<certificate thumbprint>"}] )

This is described in more detail on this page in the Product Guide.

Prognosis generates a self-signed certificate under '<drive>:\Prognosis\Server\Configuration', which is called 'server-cert-key-combined.pem'. As the name suggests, this is a combination of the server certificate and private key.

If you only use the certificate name, the default location is under the 'Prognsois\Server\Configuration' directory, otherwise you can use the absolute path if the certificate is stored elsewhere.

Another alternative is to install the certificate in the Personal certificate store (the private key may also need to be exportable) and specify the Thumbprint of the certificate using the TLSCertThumb= parameter.


I hope this information helps, but please let me know if you have further questions.



Scott Clement

05 Base Camper

Re: CMSCDR TLSCertchain=server_cert.pem

Hi @ManuelC 


when you create your own "server-cert-key-combined.pem" or get it from p.a. MMC-output. And having trouble with it, please check if there's an empty-line [CR/LF] at the end. And remove it.

At least that fixed it for me with TXN-adapter in P12.1

Good luck !

Mvg Jappie Toutenhoofd
Rabobank Netherlands
05 Base Camper

Re: CMSCDR TLSCertchain=server_cert.pem

Thanks for your answer, still have a question.

If for example we use the IIS server cert as reference, what is expected to be included in " TLSCertchain=<server-cert-key-combined.pem " ?

I mean, the public key of the IIS cert and all the public key chin up to the root? For the private key, is there a need to configure someway where it is?



Re: CMSCDR TLSCertchain=server_cert.pem

Hi @ManuelC,

It might help to compare the contents of the out-of-box server.crt, server.key and server_cert_key_combined.pem files. If you open all three in a text editor, you can see the 'server_cert_key_combined.pem' file just contains the contents of the .crt and .key files.

If you've received a CA signed certificate, it would be easier to install this in the local certificate store and reference the thumbprint.

It would be possible to generate the certificate/key combination in the required format from a .pfx file using the following steps (this is assuming you've installed Prognosis on the C drive):
1) Copy your .pfx file (e.g. 'ServerCertificate.pfx') to 'C:\Prognosis\server\configuration\utils\rabbitmq'.
2) Start a command shell under 'C:\Prognosis\server\configuration\utils\rabbitmq'.
3) Execute the following series of commands:


@echo OFF

set Prognosis_Home=C:\Prognosis

set OPENSSL_CONF=%~dp0\openssl.cnf

mkdir keys
cd keys
type nul > index.txt
echo 01 > serial

openssl pkcs12 -in ..\ServerCertificate.pfx -nocerts -out server_key.pem -nodes
openssl pkcs12 -in ..\ServerCertificate.pfx -nokeys -out server_certificate.pem
openssl rsa -in server_key.pem -out server.key

type server_certificate.pem, server.key > new_server_cert_key_combined.pem

Note: Executing the 'openssl' commands to export or change the format of the key will likely prompt you for the password used when the .pfx was generated.


4) Open 'new_server_cert_key_combined.pem' in a text editor and remove any additional text outside of the

"-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----", "-----BEGIN PRIVATE KEY-----" and "-----END PRIVATE KEY-----" tags.

5) Copy the 'new_server_cert_key_combined.pem' to the 'Prognosis\server\configuration' directory.

6) You can now remove the 'ServerCertificate.pfx' file and  delete the 'keys' directory (and its contents) under the 'C:\Prognosis\server\configuration\utils\rabbitmq' directory.


Hopefully this explains in more detail.

If you're having difficulty configuring the collector and/or certificate, it might be easier to submit a support case so that we can work with you directly to resolve any issues you may be experiencing.