This article applies to PRTG Network Monitor 19 or later

I want to avoid the web browser security warning that is shown when using the PRTG default SSL certificate and a secure https connection. How can I get, install, and use such a certificate with PRTG?

General information: Trusted SSL certificates and PRTG

Out-of-the-box PRTG Network Monitor comes with a default SSL certificate for its web server. This way all communication between your browser and PRTG is encrypted using SSL and you can securely use the web interface through HTTPS.

Certificate warnings

This certificate does not match the DNS name (or IP address) of your PRTG installation, so web browsers will always show a warning message ("the certificate is not correct") when you connect to the PRTG web interface.

The role of SSL certificates

SSL certificates play two roles here: First they are used to encrypt the data (so nobody can get sensitive data like passwords from your PRTG installation). The second role of SSL certificates is to ensure that you are actually connected to the right server (to avoid man-in-the-middle attacks, for example). The encryption of traffic already works after initially installing PRTG.

Install certificate files

To avoid the browser warnings, install a trusted certificate for the PRTG webserver (in PEM format). The PRTG web server implements OpenSSL and expects certificate files in the same format that is used for Apache web servers, too.

PRTG needs the following files, correctly named, containing data in the expected encoding and format:

  • prtg.crt: The certificate of your server
  • root.pem: The root certificate of the certificate issuer
  • prtg.key: The private key of your server *

This makes the manual import of an issued certificate a bit complicated sometimes because there might be various certificate files that you get from a certificate authority (CA) and the private key is usually encrypted. So we provide the freeware tool PRTG Certificate Importer that makes the installation of a trusted certificate for your PRTG server much easier.

Note: Usually your certificate provider sends you the key in encrypted format. The PRTG Certificate Importer decrypts it automatically with the according passphrase. If you want to import a certificate manually, use the key password in combination with external tools (for example, OpenSSL) to create a decrypted key file. PRTG will not accept an encrypted key file! You can check if the key matches your certificate here.

PRTG Certificate Importer

Please use the PRTG Certificate Importer to install a trusted certificate for PRTG!

To ease the installation of a trusted certificate, we provide the free PRTG Certificate Importer. It automatically combines and converts all files issued by a certificate authority (CA) for the use with PRTG and saves the certificate files into the correct path on your PRTG server. This makes importing a trusted SSL certificate rather comfortable!

For more information about this freeware tool and to do download it, see the freeware network tools page of the PRTG Certificate Importer.

General remarks

Important: We strongly recommend that you make backup copies of the default PRTG certificate files before you replace them. The PRTG Certificate Importer does this automatically by default.

In some cases, your certificate provider gives you certificates and key files in the correct PEM format already. However, you may receive a single file that contains several elements, for example, several certificates along with a private key that belongs to the certificates. Such a file might be called *.chain.pem or similar.

A certificate begins with-----BEGIN CERTIFICATE-----and end with-----END CERTIFICATE-----

A key begins with-----BEGIN PRIVATE KEY-----and end with-----END PRIVATE KEY-----

The PRTG Certificate Importer can usually handle such a combined file correctly, so please use this tool.

Manual certificate import

For a manual certificate import without using the PRTG Certificate Importer, you have to follow the steps below.

Note: We do not recommend that you manually import certificates. Please use the PRTG Certificate Importer.
  1. Open the file in a text editor and copy one certificate (take the first one, if there are several) into a new text file and safe it as prtg.crt.
  2. Copy the key into a new text file and safe it as prtg.key.
  3. Identify the root certificate of the issuer, which is most likely the last certificate listed before the key. It will look similar to the server certificate you copied above.
  4. Copy the root certificate into a new text file and safe it as root.pem. Alternatively, you can download the PEM-encoded root certificate from your issuer's website. This is a public file.
  5. Save the file as root.pem.
  6. Stop the PRTG core Windows service, copy the three files into the \cert folder of your PRTG program directory (copy the existing files to a save location), and restart the PRTG core Windows service.

What can I do if PRTG does not start after replacing the default certificate?

To get PRTG back to monitoring as soon as possible if something went wrong with the generation of your own certificates, copy the three default PRTG certificate files to the \cert folder of your PRTG program directory again. We always recommend that you back up the default certificate before changing anything.

Then open your PRTG Administration Tool on Core Server System and start the core server again.

If you did not back up the default certificates and they are no longer available, delete the \cert folder and install PRTG over the existing installation.

Different naming for former PRTG versions

Note: For PRTG versions 7, 8, and 9, file names are different from the ones shown above! If you want to use your own SSL certificate files with these former PRTG versions, please name them prtg7.crt, root.pem, and prtg7.key.


There are several options to get the required certificate files. Please see the other answers in this thread for more information.


What should I do if I receive the error "Certificate cannot be used for server authentication"?

In some cases, you may receive the error "Certificate cannot be used for server authentication" when importing your own self-made certificate using the Certificate Importer. Make sure that you have set the attribute extendedKeyUsage = serverAuth. Otherwise, you cannot use this certificate for SSL.


Important: You have to adopt your own settings, Subject Alternative Names (SAN), and other attributes when creating your own certificates. Please note that we cannot provide support in this case. We recommend that you obtain certificates using one of the methods in this thread.


  • Using a free trial SSL certificate (InstantSSL)

The encryption of traffic already works after initially installing PRTG. To avoid the browser warnings, you must install a trusted certificate. This article explains how you can do this by getting a certificate from Comodo InstantSSL. Apart from fee-based certificates they also offer free 30-day-certificates that work well for PRTG.

Step 1: Download PRTG Certificate Importer

The PRTG Certificate Importer automatically combines and converts all files issued by a certificate authority (CA) for the use with PRTG and saves the certificate files into the correct path on your PRTG server. Find more information about this freeware tool and download it here.

Step 2: Install OpenSSL

  • Download Win32 OpenSSL here and install it. By default, the OpenSSL files are installed into the folder C:\Program Files (x86)\OpenSSL-Win32\.
  • If you see this error upon installation, you also need to download and install Visual C++ 2008 Redistributables:

"The Win32 OpenSSL Installation Project setup has detected that the following critical component is missing: Microsoft Visual C++ 2008 Redistributables. Win32 OpenSSL will not function properly without this component. It is recommended that you install the missing component before clicking OK to continue."Download the files here.

Step 3: Create your CSR (certificate signing request)

  • Open a command prompt and go to to the C:\Program Files (x86)\OpenSSL-Win32\bin folder where the openssl.exe is located (“cd C:\Program Files (x86)\OpenSSL-Win32\bin”).
  • Enter the following command:
openssl req -nodes -newkey rsa:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg
  • Answer the questions that appear in the command prompt.
  • The “Common Name” question is the most important: Here you must enter the domain name or IP address that you want to securely use with the web server of PRTG. Finally, your screen should look like this:
C:\Program Files (x86)\OpenSSL-Win32\bin>openssl req -nodes -newkey rsa:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg Loading 'screen' into random state - done Generating a RSA private key ..................++++++ .......................................++++++ writing new private key to 'prtg.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank. For some fields, there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) []:Nuremberg Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paessler AG Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:prtg.paessler.com Email Address []:info@paessler.com 
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. 
C:\Program Files (x86)\OpenSSL-Win32\bin>
  • Note: For more information see the Comodo website: https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=3
  • More information from Comodo's website:
    When generating your CSR please also be sure to enter your details as follows:
    Country Name: US
    State or Province Name: NJ
    Locality Name: Jersey City
    Organization Name: Comodo
    Common Name: www.domain.com
  • You will now find two new files in the C:\Program Files (x86)\OpenSSL-Win32\bin folder:
    • prtg.key: Contains a private key. Do not disclose this file to anyone!
    • prtg.csr: This is your certificate request file that must be sent to the certification company.

Step 4: Request your certificate from instantssl.com

  • Go to the InstantSSL website and choose InstantSSL Trial Certificate (which will give you a free certificate that will be working for 30 days) or choose one of the paid-for options.
  • At the time of writing this article, the URL for the trial option was: https://www.instantssl.com/products/ssl-trial-ssl-certificate-tls. Click “Order Now”
  • Open the prtg.csr file that you created before in a text editor and copy and paste the full contents into the instantssl website (copy everything in the file including "-----BEGIN CERTIFICATE REQUEST-----" and "-----END CERTIFICATE REQUEST-----").
  • For Select the server software used to generate the CSR select OTHER and finally click Agree at the bottom of the page.
  • Depending on the type of certificate, some sort of validation process is now performed by Comodo (for example, you will receive emails with requests from them).

Step 5: Preparing the certificate files for PRTG

  • As soon as the validation is checked by Comodo, they will provide you with a ZIP file that contains one file with the name of your PRTG domain as well as a few other .crt files. In our sample the files were:
    • prtg_paessler_com.crt (This is the server certificate)
    • AddTrustExternalCARoot.crt
    • ComodoUTNSGCCA.crt
    • EssentialSSLCA_2.crt
    • UTNAddTrustSGCCA.crt
  • Save the certificate files into one directory, together with the private key that you obtained before.

If not done yet, download the PRTG Certificate Importer to import these files correctly for PRTG. Only if you do not use the PRTG Certificate Importer, you have to do the following.

  • Rename the first file (the server certificate file) to prtg.crt
  • Open all other files in a text editor, combine the contents of all files into one file, and save it as root.pem (simply copy them into one file, the order is not relevant).

We do not recommend to import certificates manually!

Step 6: Copy the files into the /cert folder of your PRTG installation

Use the PRTG Certificate Importer for this step! Open the PRTG Certificate Importer and follow the steps there.

  1. Provide the path to the downloaded certificate files and to the private key.
  2. Finish if the validation was successful and switch PRTG to a secure HTTPS server in the PRTG Administration Tool section Web Server.
  3. Now you can access your PRTG web interface using HTTPS.

Only if you manually import the InstantSSL certificate:

We do not recommend to manually import certificates! Please use the PRTG Certificate Importer.
  • Copy the following files into the /certfolder of your PRTG Network Monitor installation (make a copy of the existing demo certificates for backup purposes):
    • prtg.crt (the certificate of your server)
    • root.pem (the root certificates of the issuer)
    • prtg.key (private key of your server)
  • Open the PRTG Administration Tool on Core Server System. On the Web Server tab, select Secure HTTPS Server.
  • Now restart the PRTG Network Monitor core server service and access the website using HTTPS.
  • We always recommend that you back up your certificate files!


  • Using a certificate from a Microsoft CA server

The encryption of traffic already works after initially installing PRTG. To avoid the browser warnings, you must install a trusted certificate. The following article outlines how to install a custom certificate from a Microsoft CA server in order to work with PRTG. For these purposes, a valid certificate needs to be generated and the respective functionality needs to be activated for PRTG. This process is described below.

Install root certificate

Install your Microsoft CA Root certificate on all machines that will access the PRTG web interface URL. You can do so via GPO (Group Policy object). For details, refer to Microsoft Documentation:

Create a certificate signing request (CSR)

Use Open SSL to create a CSR. For details, see the article about InstantSSL.

Create a certificate chain

  1. Go to your Microsoft CA server's web interface using Internet Explorer.
  2. On the Welcome page, select the task Request a Certificate.
  3. On the Request a Certificate page, click advanced certificate request.
  4. You are now on the Submit a Certificate Request or Renewal Requestpage:
    1. Open the CSR you generated before, copy the content, and paste it into the Saved Request field.
    2. In the section Certificate Template, choose Web Server.
    3. Click Submit.

      Submitting CSR
    4. Step 4: Submit Your Certificate Signing Request
  5. On the Certificate Issued page, choose Base 64 encoded and click Download certificate chain.

You can use the resulting certificate chain file (for example, *.p7b) with the PRTG Certificate Importer to install the trusted certificate on your PRTG server.

Import the certificate

Use the PRTG Certificate Importer to import the certificate for PRTG.

Now you can access the PRTG web interface using HTTPS.



  • Quick and easy: Using an existing (wildcard) certificate

If you already have a certificate that is certified for the (sub-) domain you are accessing the PRTG web interface from, you can use it with PRTG.

This is what you need

  • Certificate of your server (for example, xyz.example.com)
  • Root certificate(s) of the issuer (if there is more than one, copy all of them into one root certificate text file, using a text editor. The order does not matter, just copy them together.)
  • Private key of your server

Either the issuer of your certificate has sent you a private key file, or it is provided on the issuer's webpage. Please refer to the issuer's FAQ regarding the private key.

The server certificate and the root certificate(s) are usually downloaded from the supplier's webpage directly.

Import the certificate

Use the PRTG Certificate Importer to install the wildcard certificate on your PRTG server.

Now you can access the PRTG web interface using HTTPS.

Only for a manual certificate import

You have to go through the following steps only if you do not use the PRTG Certificate Importer.

Note: We do not recommend that you manually import certificates. Please use the PRTG Certificate Importer.

Converting and encrypting

Open your certificate files in a text editor and have a look at them.

Make sure your certificates and key files are PEM-encoded. Have a look at the PRTG original cert files to get an idea of how PEM-encoded files have to look. If necessary, use SSL converter tools like https://www.sslshopper.com/ssl-converter.html.

The private key has to be decrypted! If the private key is encrypted (this will be indicated accordingly in the file), please use the private key file in combination with the password your issuer has sent along to generate another private key file that is not encrypted:

  1. Download openssl.
  2. In the command line, run:openssl rsa -in [encrypted-key].key -out prtg.key
  3. At the Enter PEM pass phrase prompt, enter the password for the key

Copy and rename the files

Once you have collected or created the files, copy them to the /cert subfolder of your PRTG program directory. We always recommend that you back up the existing files in this folder for later recovery. If necessary, rename your new files as follows:

  • prtg.crt (the certificate of your server)
  • root.pem (the root certificate of the issuer)
  • prtg.key (private key of your server, decrypted)

Final settings for PRTG


  • Set up your own certification authority

If you access your PRTG server from within your own domain only, you can create your own free trusted certificate, by setting up your own Certification Authority (CA).

This CA can handout certificates that will be trusted within your own network. You have to make sure that your users can contact and trust the CA.

See this Microsoft article on how to install your own CA http://technet.microsoft.com/en-us/library/cc756120(WS.10).aspx


  • Certificates for PRTG (Apache) from PFX file

Use the PRTG Certificate Importer to install certificates from PFX files on your PRTG server.

  • Download and run the PRTG Certificate Importer.
  • Provide the path to your certificate files. You need the PFX file (cert.pfx) and the intermediate CA bundle for Apache server (renamed to root.pem, for example). Note: An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs), and ends with the SSL certificate issued to you. Such certificates are called chained root certificates. The Root and intermediate CA certificates are contained within the 'ca-bundle' file.
  • After the PRTG Certificate Importer has installed the certificate on your server, open the System Administration—User Interface and switch to Secure HTTPS server in the Web Server section.

Now you can access the PRTG web interface using HTTPS.

Only if you manually import certificates from a PFX file:

Note: We do not recommend that you manually import certificates. Use the PRTG Certificate Importer.
  • You need to have Openssl software.
  • Copy PFX file (cert.pfx) into your OpenSSL/Bin directory.
  • Open OpenSSL in the command line.
  • Type in the following command to transform your PFX file into a PEM file:openssl pkcs12 -nodes -in cert.pfx -out keys.pem
  • Go to your OpenSSL/Bin directory and locate the keys.pem file and open it in a text editor.
  • Locate the Private Key, which includes and is defined by the text '-----BEGIN RSA PRIVATE KEY----- .... certificate contents .... -----END RSA PRIVATE KEY----- and copy the Private Key.
  • Open a new text editor, paste the Private Key into the text editor, and save as prtg.key.
  • Locate the SSL certificate, which includes -----BEGIN CERTIFICATE----- .... certificate contents .... -----END CERTIFICATE----- and copy the SSL certificate.
  • Open a new text editor, paste the SSL certificate into the text editor, and save as prtg.crt.
  • Download Intermediate CA bundle for Apache server. Save as root.pem. Note: An intermediate certificate is a subordinate certificate issued by a trusted root specifically to issue end-entity certificates. The result is a certificate chain that begins at the trusted root CA, through the intermediate CA (or CAs) and ending with the SSL certificate issued to you. Such certificates are called chained root certificates. The root and Intermediate CA certificates are contained within the 'ca-bundle' file.
  • Copy these three files to the \cert subfolder in the PRTG program directory.
  • Restart the PRTG core server service.


  • Using a GoDaddy SSL certificate with PRTG


SSL certificates are used to encrypt data so that unauthorized persons cannot access sensitive data like passwords from your PRTG installation. Furthermore, SSL certificates ensure that you are connected to the correct server. The encryption of traffic already works after initially installing PRTG.

PRTG Network Monitor contains a default SSL certificate for its web server. This way all communication between your browser and PRTG is encrypted using SSL and you can securely use the web interface through HTTPS.

However, this certificate does not match the DNS name (or IP address) of your PRTG installation and, thus, web browsers will always show a warning message when they connect to PRTG's web server.

In order to avoid browser warnings, you can install a trusted certificate for the PRTG web server. A well-known issuer for SSL certificates is GoDaddy. This article will show you prerequisites, how to generate a Certificate Signing Request (CSR) for your PRTG server, how to get a certificate from GoDaddy, and how you prepare the collected files for the use in PRTG.

Prerequisites: Install Open SSL

You need a tool to create a Certificate Signing Request (CSR) and a corresponding private key. In this article we will show how to generate these files with OpenSSL.

  • If not done yet, install the Microsoft Visual C++ 2008 Redistributable Package. You will need it in order to avoid an error message when trying to run OpenSSL. You can download it here. Please follow the instructions there.
  • Download and install Win64 OpenSSL Light (or the Win32 version, according to your Windows version). You can get it here. Open the downloaded executable and follow the installation instructions. By default, all OpenSSL files will be installed into the C:\Openssl-Win64 folder (or C:\OpenSSL, according to the chosen version).

Step 1: Download PRTG Certificate Importer

The PRTG Certificate Importer combines and converts all files issued by a certificate authority (CA) automatically for the use with PRTG and saves the certificate files into the correct path on your PRTG server. Find more information about this freeware tool and download it here.

Step 2: Create your Certificate Signing Request

  1. Open a command prompt and navigate to the \bin folder of your OpenSSL directory as created before. For example:cd c:\openssl-win64\bin
  2. Enter the following command:openssl req -new -nodes -newkey RSA:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg
  3. Answer the prompted questions.
  4. Most important: Provide the correct Common Name. This has to be the DNS name or IP address that you want to securely use with the webserver of PRTG.
  5. Leave the challenge password blank, i.e., enter a dot (.). You can do the same with email address and optional company name.
  6. Finally, the command prompt will look like this, depending on your given information:
c:\OpenSSL-Win64\bin>openssl req -new -nodes -newkey RSA:2048 -keyout prtg.key -out prtg.csr -config openssl.cfg Loading 'screen' into random state - done Generating a 2048 bit RSA private key ............................................+++ ..............+++ writing new private key to 'prtg.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) []:Nuremberg Organization Name (eg, company) [Internet Widgits Pty Ltd]:Paessler AG Organizational Unit Name (eg, section) []:IT Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:info@paessler.com 
Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:. An optional company name []:. 
c:\OpenSSL-Win64\bin>

Step 3: Purchase and Request SSL Certificate

  1. Go to the webpage of GoDaddy and navigate to Products | SSL & Security | SSL Certificates.
  2. Purchase the most suitable SSL certificate. Standard SSL with Single Domain should be fine. A Wildcard certificate would protect your URL and an unlimited number of its subdomains. See this page for more information. You can find more instructions about the process of purchasing at GoDaddy’s.
  3. Activate the SSL credit after purchasing. You can find detailed instructions here. We will summarize and apply the steps to PRTG specific issues in the following.
  4. Log in to your GoDaddy account, “Visit My Account”, and go to the Products tab.
  5. Click on SSL Certificates and on Set Up for the respective credit. It will be activated afterwards.
  6. Click on Launch for this SSL and open Credits on the left.
  7. Click on Request Certificate.
  8. Select the appropriate hosting type, that is for PRTG Third Party or Dedicated Server or Virtual Private Server (VPS) without Simple Control Panel.
  9. Open prtg.csr you created before with a text editor and copy the whole CSR text, including -----BEGIN CERTIFICATE REQUEST-----and -----END CERTIFICATE REQUEST-----
  10. Paste the CSR into the field which is provided in GoDaddy’s web interface now.
  11. Finish the request providing further necessary information (three times Next). Then the verifying process of your application takes place which will take some time. GoDaddy Products
    • GoDaddy's Products Tab with SSL Certificates

Step 4: Preparing the Certificate Files for PRTG

After the validation has finished, you can find your SSL certificate in your GoDaddy account manager.

Apache

Choose "Apache" as Server Type

  1. Open SSL Certificates and click on Launch for the created certificate. You will see a page with contents and details of the certificate.
  2. Download the ZIP file containing all necessary files by clicking the corresponding button in the header bar.
  3. Select the server type. For PRTG choose Apache. Click on Download and save the ZIP file on your system. It will contain both the certificate you requested and additional certificates.
  4. Extract the files to some temporary folder.
  5. Download and run the PRTG Certificate Importer. This tool will automatically combine and convert all certificate files correctly for PRTG. Go on with Step 5.

Only if you do not use the PRTG Certificate Importer, you have to rename the files:

  • The file with the common name, i.e., the server FQDN: prtg.crt
  • The other file (e.g., “gd_bundle”): root.pem
    Note: If there are more files than this other file, combine their contents with a text editor to one single file and save it as root.pem

We do not recommend that you manually import certificates!

Step 5: Copy the Created Files into the PRTG Program Directory

Use the PRTG Certificate Importer for this step.

Now you can access your PRTG web interface using HTTPS.

Only if you manually import the GoDaddy certificate:

Note: We do not recommend that you manually import certificates. Please use the PRTG Certificate Importer.

Copy the files you have created into the /cert subfolder of your PRTG installation. Important notice: Make a copy of the existing PRTG cert files for backup purposes!

The files you have to copy are:

  • prtg.key: your private key, located in the \bin subfolder of OpenSSL
  • prtg.crt: the certificate of your server
  • root.pem: the root certificate(s) of your issuer

Make a backup copy of these files as well before using them in PRTG.

Step 6: Apply Certificates to PRTG

  • Ensure the PRTG web server SSL. You can check this in the PRTG Administration Tool, tab Web Server. Select Secure HTTPS server (Port 443) or Expert configuration: Use SSL encryption to use a secure web server with SSL encryption.
  • Restart the PRTG core service and access your PRTG web server using HTTPS.

Troubleshooting

If you cannot start PRTG anymore with the new certificate, please try to load the certificate with OpenSSL. Please see this page for a list of available OpenSSL commands.

If this test works and you did not use the PRTG Certificate Importer but imported the certificate manually, ensure that you created and copied all necessary into the right folder. Also make sure that your private key is decrypted. You can check this by opening the key file in an editor. If it is not decrypted, there will be a line stating that the key is encrypted.

You can also revert to your backed up certificate files.




  • Using a DigiCert SSL certificate with PRTG

Please download a PDF with detailed instructions here:

Many thanks to Marcus Sjögren, SeaIT Systems Int AB, a PRTG user who wrote this great how-to and kindly shares it with us!

Note: Please use the PRTG Certificate Importer to install trusted SSL certificates for PRTG.



More




Disclaimer:
The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.