Altova FlowForce Server 2024 Advanced Edition

This demo shows you how to create self-signed SSL certificates for FlowForce Server running on a private network. Note that this demo is intentionally simplified and not suitable for use in production. Your organization will likely have specific security policies concerning SSL certificates and could use SSL tools other than the ones described below. For information about obtaining SSL certificates signed by a trusted certificate authority, see Signing SSL Certificates with a Certificate Authority.

Prerequisites

This example makes use of the OpenSSL toolkit (https://www.openssl.org/) to generate self-signed certificates. Note that OpenSSL is an open source library, and may need to be compiled before you can use it at the command line. The compilation and installation instructions for OpenSSL vary for each operating system and are outside of the scope of this documentation. On a Linux and Mac machine, it is likely that OpenSSL is already available; otherwise, you can install it or update it from the command line. You can quickly check if OpenSSL present by typing the command below (it displays the current OpenSSL version):

On Windows, you can either compile binaries from the official OpenSSL source code, or, alternatively, download a binary distribution that includes OpenSSL. See also https://www.openssl.org/community/binaries.html.

Create the root certificate

1.Create a directory that will store all certificates used in this demo (for example, "C:\secure"). This will be the working directory for all subsequent OpenSSL commands (that is, any file paths are relative to it). Therefore, change to this directory from the command line:

2.For this demo, we will be issuing certificates with OpenSSL extensions. To make this possible, find the openssl.cnf file of your OpenSSL distribution and copy it to the working directory created in the previous step.

3.Create the root private key. Be aware that the root private key is the most sensible piece of your public key infrastructure, so it must always be generated and stored in a secure environment (in this demo, it is stored in "C:\secure").

When prompted, type a password to protect the root key. You will subsequently need this password to sign certificate requests.

4.Create the root certificate. The command below generates a self-signed certificate for the private key created above, with a validity of 3650 days. Notice that the -config parameter points to the openssl.cnf file in the same directory. The -extensions parameter refers to the "v3_ca" extension (section) defined in openssl.cnf.

When prompted, enter information about your organization, for example:

You can fill in the required fields as applicable to your organization. For the field Common Name, enter the name of your self-signed certificate authority ("Demo CA", in this example).

Create the FlowForce certificate

You can now create the actual certificate to be used for SSL encryption (by FlowForce Server, or FlowForce Web Server, or both). The following OpenSSL command creates the private key:

Next, open the working openssl.cnf file and add the following section to it:

Make sure to change the subjectAltName ("Subject Alternative Name") so that it corresponds to the FQDN (fully qualified domain name) of the machine where FlowForce Server runs. In this example, it is set to "server.my.domain.com". Specifying a subject alternative name is required by Google Chrome 58 or later; otherwise, your self-signed certificate will generate a NET::ERR_CERT_COMMON_NAME_INVALID error (see https://support.google.com/chrome/a/answer/7391219?hl=en).

Next, create a Certificate Signing Request (CSR), as shown below. Notice that the -config parameter points to the openssl.cnf file edited previously. The -extension parameter refers to the "server_cert" extension defined in openssl.cnf.

When prompted, enter information about your organization, for example:

For this demo, we will sign the FlowForce certificate directly with the root certificate. Note that, in a production environment, the root certificate does not normally sign server certificates directly; instead, intermediary certificates are used. The command below signs the flowforce.csr certificate request against the root certificate created previously and creates a flowforce.crt file (which is the server certificate required in FlowForce Server):

Summary

If you followed the steps above, you must have by now the following certificates and keys:

•root.key - This is your certificate authority's (CA) private key. Store this file in a secure place; if this key becomes compromised, then anyone can generate browser-trusted certificates on your behalf.

•root.pem - This is the public certificate of your certificate authority. You will need to install (import) this certificate into the trusted certificates store of each machine (or browser) that needs to access FlowForce securely, see Importing Root Certificates.

•flowforce.key - This private key accompanies your self-signed certificate used by FlowForce (see next item).

•flowforce.crt - This is a self-signed certificate to be used by FlowForce Server, FlowForce Web Server, or both.

You can now enable SSL for FlowForce Server, FlowForce Web Server, and for the HTTP connection between them, as shown below:

•Enabling SSL for FlowForce Web Server

•Enabling SSL for FlowForce Server

•Enabling SSL between FlowForce Web Server and FlowForce Server