Documentation forWeb Help Desk
Thinking of upgrading to the cloud? Learn more about migrating from Web Help Desk to Service Desk.

Enable FIPS and set up a CA-signed certificate for a new deployment

The information on this page applies only to WHD 2026.2. For guidance related to other versions, see Web Help Desk Previous Version Documentation.

On this page

Platform: Windows Server 2019 or 2022

Enable FIPS for a new deployment

Instructions differ for the two different types of deployment. This instruction set is specific to a new deployment. Be sure to follow the instructions for your deployment type. Before enabling FIPS, see FIPS 140-2 compliant cryptography: Before you begin.

See also Instructions specific to an existing deployment.

Upgrading users, before you begin, back up your aesconf folder and cacerts.bcfks file available in the following location:

WebHelpDeskHomeDir/conf

  1. Complete the following steps to enable Windows FIPS mode and harden Schannel. This enables Windows FIPS mode and restricts the OS to FIPS-approved protocols and ciphers only.

    1. Stop all services.

    2. Open Notepad and copy the commands below into a text file.

      @echo off

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy" /v Enabled /t REG_DWORD /d 1 /f

for %%P in ("SSL 2.0" "SSL 3.0" "TLS 1.0" "TLS 1.1") do (
    for %%R in (Server Client) do (
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\%%~P\%%R" /v Enabled /t REG_DWORD /d 0 /f
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\%%~P\%%R" /v DisabledByDefault /t REG_DWORD /d 1 /f
    )
    echo [OK] Disabled %%~P
)

@echo off
for %%P in ("TLS 1.2" "TLS 1.3") do (
    for %%R in (Server Client) do (
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\%%~P\%%R" /v Enabled /t REG_DWORD /d 1 /f
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\%%~P\%%R" /v DisabledByDefault /t REG_DWORD /d 0 /f
    )
    echo [OK] Enabled %%~P
)

reg add "HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002" /v Functions /t REG_SZ /d "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" /f
echo [OK] FIPS cipher suite order configured

@pause

    3. Save the file as fips.bat into the WebHelpDesk home directory.

    4. Execute the fips.bat file.

  2. Execute following tasks to create a Keystore (Bouncy Castle FIPS KeyStore) file:

    1. Open the command prompt as an administrator.

    2. Change to the installation directory:

      cd /d "C:\Program Files\WebHelpDesk" set  "WHD_HOME=C:\Program Files\WebHelpDesk" set  "JAVA=%WHD_HOME%\bin\jre\bin" set  "BC_JAR=%WHD_HOME%\bin\lib\bc-fips.jar" set  "PASS=changeit"

    3. Create the AES Key keystore file:

      "%JAVA%\keytool" -genseckey -alias AES_KEY -keyalg AES -keysize 256 -storetype BCFKS -keystore "%WHD_HOME%\conf\cacerts.BCFKS" storepass %PASS% -keypass %PASS% -provider 
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider providerpath "%BC_JAR%"

  3. Set WHD_FIPS_ENABLED to true in the conf\whd.env file:

    1. Open the following file in a text editor:

      C:\Program Files\WebHelpDesk\conf\whd.env

    2. Locate the WHD_FIPS_ENABLED setting, and change it to WHD_FIPS_ENABLED=true.

  4. Switch to the FIPS service wrapper:

    copy /Y "C:\Program Files\WebHelpDesk\service\whd-backend-
fips.xml.template" "C:\Program Files\WebHelpDesk\service\whd-backend.xml"

  5. Follow instructions to Set up a CA-signed certificate.

  6. Restart all services.

  7. To verify that FIPS is active, open the WHD admin UI and click Setup > General > Authentication. The FIPS Compliant Cryptography row should have a green dot followed by Enabled.

Set up a CA-signed certificate

A CA-signed certificate is not required for a test server. Caddy's tls internal auto-generates a locally-trusted certificate with FIPS-approved ciphers.

  1. Download OpenSSL to complete these instructions.

  2. Generate a private key:

    1. Open the command prompt as an administrator.

    2. Run the following commands:

      cd /d "C:\Program Files\WebHelpDesk\conf"  

openssl genrsa -out key.pem 2048

  3. Create an OpenSSL config for the CSR:

    1. Create the file C:\Program Files\WebHelpDesk\conf\csr.cnf using Notepad:

      notepad "C:\Program Files\WebHelpDesk\conf\csr.cnf"

    2. Paste the following content into the csr.snf file you created, and then edit the values in the [dn] and [alt_names] sections to match your environment: 

      [req] 
default_bits       = 2048 
prompt             = no 
default_md         = sha256 
distinguished_name = dn 
req_extensions     = v3_req 
 
[dn] 
C  = US 
ST = Texas 
L  = Austin 
O  = Your Organization 
OU = IT Department 
CN = helpdesk.yourcompany.com 
 
[v3_req] 
subjectAltName     = @alt_names 
keyUsage           = digitalSignature, keyEncipherment 
extendedKeyUsage   = serverAuth 
 
[alt_names] 
DNS.1 = helpdesk.yourcompany.com 
DNS.2 = helpdesk 
IP.1  = 10.0.0.50

    3. Save the updated file.

  4. Generate the CSR:

    openssl req -new -key key.pem -out whd.csr -config csr.cnf

  5. Verify the CSR:

    1. Run the following command:

      openssl req -text -noout -in whd.csr

    2. Confirm the following:

      • The Subject matches your organization.
      • The Subject Alternative Names list all hostnames or IP addresses.
      • The Signature Algorithm is sha256WithRSAEncryption (or ecdsa-with-SHA256).
  6. Send whd.csr to your Certificate Authority. You will receive:
    • A Certificate (cert.pem or whd.crt)
    • A CA chain or intermediate certificates (ca-chain.pem)
  7. Create the Full Certificate Chain:

    1. Combine the certificate and the CA chain into one file:

      cd /d "C:\Program Files\WebHelpDesk\conf" 
type cert.pem ca-chain.pem > fullchain.pem

    2. Rename the file to cert.pem:

      del cert.pem 
rename fullchain.pem cert.pem
  8. Place the files in the required locations: 

    1. Place the private key generated in Step 1 in the following location:

      C:\Program Files\WebHelpDesk\conf\key.pem

    2. Place the Full Certificate Chain generated in
      tep 6       in the following location:

      C:\Program Files\WebHelpDesk\conf\cert.pem

    3. Verify that both files are present:

      dir "C:\Program Files\WebHelpDesk\conf\key.pem" "C:\Program Files\WebHelpDesk\conf\cert.pem"

  9. Verify that the key and certificate match:

    1. Run the following commands:

      openssl x509 -noout -modulus -in cert.pem | openssl md5 
openssl rsa  -noout -modulus -in key.pem  | openssl md5

    2. Verify that both commands output the same hash value.

  10. Update the conf\whd.env file:

    1. Open the conf\whd.env file in Notepad:

      notepad "C:\Program Files\WebHelpDesk\conf\whd.env"

    2. Set the following values:

      WHD_TLS_CERT=C:\Program Files\WebHelpDesk\conf\cert.pem
      WHD_TLS_KEY=C:\Program Files\WebHelpDesk\conf\key.pem

  11. Restart the application services.

  12. Verify the results:

    openssl s_client -connect localhost:8443 -showcerts