To minimize the time it takes to manually set up HTTPS for IIS, Jetty SSO, Jetty RIB, OData, and SOAP Internal Services on DX Network Flow Analysis and provide an easy method to work with signed or self-signed certificates outside of NFA.

Overview

ApplyHTTPS is a command-line utility that configures HTTPS and HTTP settings for DX NetOps NFA versions 22.2.3 through 25.4.6. It manages SSL certificates, Jetty SSO/RIB configurations, IIS bindings, Apache Tomcat, keystores, Java truststores, and database settings.

Requirements:

• Must be run with Administrator privileges
• NFA Console or Standalone must be installed with services started
• The bin folder and parameters.config included with ApplyHTTPS.zip must be present alongside the executable

Startup

On launch, the tool:

1. Connects to the NFA MySQL database to determine the installed version
2. Validates the version is within the supported range (22.2.3 – 25.4.6)
3. Reads optional port overrides from Parameters.config

All activity is logged to ApplyHTTPS<date>.log in the working directory.

Main Menu

Option 1: Setup HTTPS

Presents a sub-menu with four methods to apply an SSL certificate:

Common Steps (all sub-options)

After the certificate is selected/created, the tool will:

1. Ask if you also want to configure RIB/OData/SOAP with HTTPS. Answering y or pressing enter enables HTTPS for the RIB/OData service in addition to SSO and IIS.
2. Create a keystore with your private and public key certificate.
3. Copy and edit Jetty config files (SSO and RIB) with the certificate path and password
4. Update ReporterAnalyzer.ini with keystore paths, passwords, and obfuscation settings for OData
5. Updates various NFA database tables for HTTPS mode
6. Import certificates into the CACERTS truststore as well a Windows Truststed Root Certification Store
7. Restart SSO, OData, RibSource, etc if standalone
8. Run iisreset

Sub-option 1: Use a PFX File

Use this when you have a PKCS12 certificate file (.pfx or .p12).

Prompts:

1. Enter the full path to a .PFX / .P12 file: — Full path to your certificate file.
2. Input your PFX password: — The password for the source PFX file.
3. Enter new keystore password or press enter to use the input password: — The password to use for the NFA keystore. This can be different from the source PFX password.
4. Obfuscate the keystore password? [Y/n] (Press Enter for Yes): — If y, passwords are obfuscated using Jetty OBF format in Jetty configs and encrypted in ReporterAnalyzer.ini. If n, passwords are stored in plain text.
5. Configure RIB/OData/SOAP with HTTPS? [Y/n] (Press Enter for Yes): — If y, NFA is configured with full HTTPS and not just SSO/IIS HTTPS
6. Enter in DNS name of server or press enter to accept the previously used DNS name or FQDN of the server (This value MUST be in the certifcates Subject Alternatice Name).

What it does:

• Imports the PFX into the Windows Personal certificate store
• Creates the HTTPS binding in IIS
• Creates new PFX (KEYSTORE) with a new password or you can press enter and retain the source password
• Exports the .cer and splits the certificate chain and does CACERT imports of the root and intermediary certificates
• Applies config files and database changes

Sub-option 2: Use an IIS Installed Certificate

Use this when the certificate is already installed in a Windows certificate store.

Prompts:

1: Personal Store

2: WebHosting Store

R: Return

Q: Quit

1. Certificate selection — displays all certificates with private keys in the chosen store, showing Subject, Thumbprint, and Expiration. Enter the number of the certificate to use.
2. Enter a destination keystore password (6+ characters): — Password for the NFA keystore.
3. Obfuscate the keystore password? [Y/n] (Press Enter for Yes): — If y, passwords are obfuscated using Jetty OBF format in Jetty configs and encrypted in ReporterAnalyzer.ini. If n, passwords are stored in plain text.
4. Configure RIB/OData/SOAP with HTTPS? [Y/n] (Press Enter for Yes): — If y, NFA is configured with full HTTPS and not just SSO/IIS HTTPS
5. Enter in DNS name of server or press enter to accept the previously used DNS name or FQDN of the server (This value MUST be in the certifcates Subject Alternatice Name).

What it does:

• Validates the certificate is exportable
• Exports the certificate from the Windows store to a KEYSTORE file using a new destination password which can be ofuscated
• Exports the .cer and splits the certificate chain and does CACERT imports of the root and intermediary certificates
• Creates/updates the HTTPS binding in IIS
• Applies config files and database changes

Sub-option 3: Create and Use a Self-Signed Certificate

Use this to generate a new self-signed certificate for testing or internal use.

Prompts:

1. Enter in your DNS / FQDN Name Value or press enter: — The Common Name (CN) for the certificate. Defaults to the detected FQDN.
2. Enter a certificate alias: — Required alias for the keystore entry.
3. Organization fields: Organization, Organizational Unit, City, State, Country — all optional.
4. Please enter all of your SAN's or press enter: — Subject Alternative Names in the format SAN=dns:name1,dns:name2,ip:1.1.1.1
5. Enter a destination keystore password (6+ characters): — Password for the keystore.
6. Obfuscate the keystore password? [Y/n] (Press Enter for Yes): — If y, passwords are obfuscated using Jetty OBF format in Jetty configs and encrypted in ReporterAnalyzer.ini. If n, passwords are stored in plain text.
7. Configure RIB/OData/SOAP with HTTPS? [Y/n] (Press Enter for Yes): — If y, NFA is configured with full HTTPS and not just SSO/IIS HTTPS
8. Enter in DNS name of server or press enter to accept the previously used DNS name or FQDN of the server (This value MUST be in the certifcates Subject Alternatice Name).

What it does:

• Creates a self-signed keystore using Java keytool
• Imports the PFX into the Windows Personal store
• Exports the .cer and imports it into the local Trusted Root Certification Authorities store
• Exports the .cer and does a CACERT import of the self-signed certificate
• Creates/updates the HTTPS binding in IIS
• Applies config files and database changes

Note: For remote browsers to trust the self-signed certificate, the .cer file must be imported into each user's Trusted Root Certification Authorities store.

Sub-option 4: Post-Upgrade / Automatic Re-apply Certificate

Use this after upgrading NFA to re-apply the previously used certificate without re-entering passwords.

Prompts: None for the certificate itself. The tool automatically:

1. Finds the certificate currently bound to the HTTPS port in IIS
2. Reads the existing keystore password from the SSO Jetty config (ssl.ini)
3. Reads the existing encrypted password from ReporterAnalyzer.ini
4. Configure RIB/OData/SOAP with HTTPS? [Y/n] (Press Enter for Yes): — If y, NFA is configured with full HTTPS and not just SSO/IIS HTTPS
5. Enter in DNS name of server or press enter to accept the previously used DNS name or FQDN of the server (This value MUST be in the certifcates Subject Alternatice Name).

What it does:

• Exports the existing IIS certificate to a KEYSTORE file using the existing password
• Exports the .cer and splits the certificate chain and does CACERT imports of the root and intermediary certificates
• Applies config files and database changes

Option 2: Setup HTTP

Reverts NFA from HTTPS to HTTP mode.

Prompts: None — runs automatically.

What it does:

• Removes the HTTPS binding from IIS (if present)
• Ensures an HTTP binding exists
• Copies HTTP-mode config files for SSO and RIB
• Sets ReporterAnalyzer.ini for HTTP.
• Updates the database for HTTP mode
• Restarts SSO, OData, RibSource, etc (if Standalone)
• Runs iisreset

Option 3: Import Certificate for LDAPS / SMTPS / Certificate Authority

Imports one or more public certificates into both the Windows Trusted Root store and the Java truststore. Use this for LDAPS, SMTPS, or Certificate Authority trust chains.

Prompts:

1. Enter the full path and file name to a .CER / .PEM file: — Path to the certificate. Type r to return.
2. Enter an alias for this certificate: — A unique alias for the Java truststore entry.
3. Do you have any other certificates to import? — Answer y to import another, n to finish.

What it does:

• Imports each certificate into the Windows Trusted Root Certification Authorities store
• Imports each certificate into the NFA Java truststore (cacerts)
• Restarts the SSO, RIB, and OData service

Option 4: Renew Certificate or Create a New CSR and Keystore

Creates a Certificate Signing Request (CSR) for submission to a Certificate Authority.

Two paths depending on whether an existing keystore is detected:

Path A: Renew Existing (press enter when prompted for password)

Available for users running NFA 24.3.13+

Prompts:

1. Enter a password for a new keystore (6+ characters) or press enter to use the existing keystore: — Press enter to renew.
2. Please enter all of your SAN's or press enter: — Optional SANs.

What it does:

• Reads the existing keystore path and password from NFA
• Finds the private key alias
• Generates a CSR from the existing keystore
• Opens output folder for you

Path B: Create New Keystore and CSR (enter a password)

Prompts:

1. Password for the new keystore (6+ characters)
2. DNS / FQDN Name Value
3. Organization fields (Organization, Organizational Unit, City, State, Country) — all optional.
4. SANs

What it does:

• Creates a new private key / keystore for NFA or any other server
• Generates a CSR from the new keystore for NFA or any other server
• Opens the output folder for you

Output: The path to the generated .csr file to provide to your Certificate Authority for signing.

Option 5: Complete a Signed Certificate Request

Imports a signed certificate (received from your CA) back into the keystore that generated the CSR.

Two paths:

Path A: Import into current NFA keystore (press enter)

Available for users running NFA 24.3.13+

Available when NFAPasswdObsUtil.jar exists. Automatically reads the current keystore path and password from the SSO config.

Prompts:

1. Press enter at the file path prompt
2. Enter the path for the signed certificate (.cer / .pem / .p7b) file...

What it does:

• Imports the signed certificate into the working keystore
• Imports into the Windows Personal store, updates the IIS HTTPS binding, restarts SSO, RIB, OData, and runs iisreset

Path B: Import into a specified keystore file

Prompts:

1. Enter .pfx / .p12 file path... — Path to the keystore file.
2. Enter the password you used to create the PKCS12 keystore file — Keystore password.
3. Enter the path for the signed certificate (.cer / .pem / .p7b) file... — The signed certificate from your CA.

What it does:

• Imports the signed certificate into the specified keystore
• Opens the output folder.

Option 6: Create a Self-Signed Certificate for a Different Server

Creates a self-signed certificate and keystore for use on another server (not applied to NFA).

Prompts:

1. Enter in the DNS / FQDN Name Value: — Required CN.
2. Enter a 6+ character keystore password: — Masked input.
3. Enter a certificate alias: — Required.
4. Organization fields (Organization, Organizational Unit, City, State, Country) — all optional.
5. How many days valid? (e.g. 730): — Certificate validity period.
6. Key size (2048 or 4096): — RSA key size.
7. Please enter all of your SAN's or press enter: — Optional SANs.

Output: Creates a .pfx keystore and .cer certificate file in <NFA Install Dir>\certs\ApplyHTTPS\<CN>\.

Option 7: Obfuscate All Existing Passwords

Obfuscates all plain text keystore passwords across NFA configuration files.

Prompts: None — runs automatically.

Prerequisites: NFA must be in HTTPS mode. If NFA is set to HTTP, the tool will display:

Cannot obfuscate passwords when NFA is set to HTTP. Please apply HTTPS first.

What it does:

• Individually checks each configuration file and only updates those with plain text passwords:
  • SSO Jetty configs (ssl.ini or jetty-ssl-context.xml)
  • RIB Jetty configs (ssl.ini, start.ini, or jetty-ssl-context.xml)
  • ReporterAnalyzer.ini (all keyStorePassword/trustStorePassword fields)
• Obfuscates using Jetty OBF format for Jetty configs
• Encrypts ReporterAnalyzer.ini
• Sets ReporterAnalyzer.obfuscatePasswords=true
• Restarts SSO, OData, and RibSource services

Customizable Ports (Not Recomended)

Default Parameters.config file alongside the executable with key=value pairs: