Documentation forWeb Help Desk
Thinking of upgrading to the cloud? Learn more about migrating from Web Help Desk to Service Desk.

Enable FIPS and set up a CA-signed certificate for an existing deployment

The information on this page applies only to WHD 2026.2. For guidance related to other versions, see Web Help Desk Previous Version Documentation.

On this page

Platform: Windows Server 2019 or 2022

Enable FIPS for an existing deployment

Instructions differ for the two different types of deployment. This instruction set is specific to an existing deployment. Be sure to follow the instructions for your deployment type. Before enabling FIPS, see FIPS 140-2 compliant cryptography: Before you begin.

See also Instructions specific to a new deployment.

Upgrading users, before you begin, back up your aesconf folder and cacerts.bcfks file available in the following location:

WebHelpDeskHomeDir/conf

  1. Complete the following steps to enable Windows FIPS mode and harden Schannel. This enables Windows FIPS mode and restricts the OS to FIPS-approved protocols and ciphers only.

    1. Stop all services.

    2. Open Notepad and copy the commands below into a text file.

      @echo off

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" /v Enabled /t REG_DWORD /d 1 /f

for %%P in ("SSL 2.0" "SSL 3.0" "TLS 1.0" "TLS 1.1") do (
    for %%R in (Server Client) do (
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\%%~P\%%R" /v Enabled /t REG_DWORD /d 0 /f
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\%%~P\%%R" /v DisabledByDefault /t REG_DWORD /d 1 /f
    )
    echo [OK] Disabled %%~P
)

@echo off
for %%P in ("TLS 1.2" "TLS 1.3") do (
    for %%R in (Server Client) do (
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\%%~P\%%R" /v Enabled /t REG_DWORD /d 1 /f
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\%%~P\%%R" /v DisabledByDefault /t REG_DWORD /d 0 /f
    )
    echo [OK] Enabled %%~P
)

reg add "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /v Functions /t REG_SZ /d "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /f
echo [OK] FIPS cipher suite order configured

@pause

    3. Save the file as fips.bat into the WebHelpDesk home directory.

    4. Execute the fips.bat file.

  2. Copy the cacerts.bcfks file (Bouncy Castle FIPS KeyStore) from backup if it’s not available:

    WebHelpDeskHomeDirectory/conf

  3. Set WHD_FIPS_ENABLED to true in the conf\whd.env file:

    1. Open the following file in a text editor:

      C:\Program Files\WebHelpDesk\conf\whd.env

    2. Locate the WHD_FIPS_ENABLED setting and change it to WHD_FIPS_ENABLED=true.

  4. Switch to the FIPS service wrapper:

    copy /Y "C:\Program Files\WebHelpDesk\service\whd-backend-
fips.xml.template" "C:\Program Files\WebHelpDesk\service\whd-backend.xml"

  5. Follow instructions to Set up a CA-signed certificate.

  6. Restart all services.

  7. To verify that FIPS is active, open the WHD admin UI and click Setup > General > Authentication. The FIPS Compliant Cryptography row should have a green dot followed by Enabled.

Set up a CA-signed certificate

A CA-signed certificate is not required for a test server. Caddy's tls internal auto-generates a locally-trusted certificate with FIPS-approved ciphers.

  1. Download OpenSSL to complete these instructions.

  2. Generate a private key:

    1. Open the command prompt as an administrator.

    2. Run the following commands:

      cd /d "C:\Program Files\WebHelpDesk\conf"  

openssl genrsa -out key.pem 2048

  3. Create an OpenSSL config for the CSR:

    1. Create the file C:\Program Files\WebHelpDesk\conf\csr.cnf using Notepad:

      notepad "C:\Program Files\WebHelpDesk\conf\csr.cnf"

    2. Paste the following content into the csr.snf file you created, and then edit the values in the [dn] and [alt_names] sections to match your environment: 

      [req] 
default_bits       = 2048 
prompt             = no 
default_md         = sha256 
distinguished_name = dn 
req_extensions     = v3_req 
 
[dn] 
C  = US 
ST = Texas 
L  = Austin 
O  = Your Organization 
OU = IT Department 
CN = helpdesk.yourcompany.com 
 
[v3_req] 
subjectAltName     = @alt_names 
keyUsage           = digitalSignature, keyEncipherment 
extendedKeyUsage   = serverAuth 
 
[alt_names] 
DNS.1 = helpdesk.yourcompany.com 
DNS.2 = helpdesk 
IP.1  = 10.0.0.50

    3. Save the updated file.

  4. Generate the CSR:

    openssl req -new -key key.pem -out whd.csr -config csr.cnf

  5. Verify the CSR:

    1. Run the following command:

      openssl req -text -noout -in whd.csr

    2. Confirm the following:

      • The Subject matches your organization.
      • The Subject Alternative Names list all hostnames or IP addresses.
      • The Signature Algorithm is sha256WithRSAEncryption (or ecdsa-with-SHA256).
  6. Send whd.csr to your Certificate Authority. You will receive:
    • A Certificate (cert.pem or whd.crt)
    • A CA chain or intermediate certificates (ca-chain.pem)
  7. Create the Full Certificate Chain:

    1. Combine the certificate and the CA chain into one file:

      cd /d "C:\Program Files\WebHelpDesk\conf" 
type cert.pem ca-chain.pem > fullchain.pem

    2. Rename the file to cert.pem:

      del cert.pem 
rename fullchain.pem cert.pem
  8. Place the files in the required locations: 

    1. Place the private key generated in Step 1 in the following location:

      C:\Program Files\WebHelpDesk\conf\key.pem

    2. Place the Full Certificate Chain generated in
      tep 6       in the following location:

      C:\Program Files\WebHelpDesk\conf\cert.pem

    3. Verify that both files are present:

      dir "C:\Program Files\WebHelpDesk\conf\key.pem" "C:\Program Files\WebHelpDesk\conf\cert.pem"

  9. Verify that the key and certificate match:

    1. Run the following commands:

      openssl x509 -noout -modulus -in cert.pem | openssl md5 
openssl rsa  -noout -modulus -in key.pem  | openssl md5

    2. Verify that both commands output the same hash value.

  10. Update the conf\whd.env file:

    1. Open the conf\whd.env file in Notepad:

      notepad "C:\Program Files\WebHelpDesk\conf\whd.env"

    2. Set the following values:

      WHD_TLS_CERT=C:\Program Files\WebHelpDesk\conf\cert.pem
      WHD_TLS_KEY=C:\Program Files\WebHelpDesk\conf\key.pem

  11. Restart the application services.

  12. Verify the results:

    openssl s_client -connect localhost:8443 -showcerts