Signing SSL Certificates with a Certificate Authority

www.altova.com Print this Topic Previous Page Up One Level Next page

Home >  Configuring the Server > Setting up SSL Encryption >

Signing SSL Certificates with a Certificate Authority

Before you can purchase SSL certificates from a trusted certificate authority (CA), you need a private key and a CSR (Certificate Signing Request). The private key must be stored securely and not disclosed to anyone; the CSR will be required by the certificate authority during the ordering process.

 

You can create the private key and the CSR using a tool that may already exist on your operating system (such as Keychain Access on Mac, openssl on Linux), or third party tools. This example makes use of the OpenSSL toolkit (https://www.openssl.org/). Note that OpenSSL is an open source library, it is not a binary application compiled for a particular platform. The compilation and installation instructions for OpenSSL vary for each operating system and are outside of the scope of this documentation. On a Linux and Mac machine, it is likely that OpenSSL is already available; otherwise, you can install it or update it from the command line. You can quickly check if OpenSSL present by typing the command below (it displays the current OpenSSL version):

 

openssl version

 

On Windows, you can either compile binaries from the official OpenSSL source code, or, alternatively, download a binary distribution that includes OpenSSL, such as Cygwin (https://cygwin.com/).

 

 

To obtain a signed SSL certificate:

1.Create the private key. The following OpenSSL command generates a key called flowforce.key that is 2048-bit in size (the minimum encryption strength normally accepted by a certification authority):

 

openssl genrsa -out flowforce.key 2048

 

Note

The private key must be in PEM (Privacy Enhanced Mail) format. The file extension of PEM files is usually .pem but it can also be .key, .cert, .cer, or .crt.
In order for the private key to be usable in FlowForce, it must not be password protected.
The private key must be stored securely.

 

2.Create a Certificate Signing Request (CSR) for the private key generated earlier. You will need the CSR when you purchase your SSL certificate, see the next step. The following OpenSSL command creates a CSR called myserver.csr for the key flowforce.key:

 

openssl req -new -nodes -key flowforce.key -out myserver.csr

 

When prompted, enter information about your organization, for example:

 

Country Name (2 letter code) [AU]: AT

State or Province Name (full name) [Some-State]: .

Locality Name (eg, city) []: Vienna

Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd

Organizational Unit Name (eg, section) []: IT

Common Name (eg, YOUR name) []: server.my.domain.com

Email Address []: test@example.org

 

Note

For the field Common Name, make sure to enter the FQDN (fully qualified domain name) of the host machine where FlowForce Server runs.
Leave the challenge password field empty when prompted.

 

3.Order the certificate from a certificate authority. During the ordering process, you will need to supply the CSR. To do this, open myserver.csr in a text editor such as Notepad, copy its contents to clipboard, and then paste it into the online order form.
4.Once the certificate authority validates your company, they will provide to you the purchased certificate and the so-called "intermediary" certificates. Copy-paste the content of all the intermediary certificates into one file, as shown in Preparing Intermediary Certificates.

 

Summary

If you followed the steps above, you must have by now the following certificates and keys:

 

flowforce.key - This private key accompanies the certificate used by FlowForce.
certificate.crt (the file extension may vary) - This is your purchased certificate that encrypts the connection between a browser and FlowForce Web Server, or the connection between a client application that connects to a Web service exposed by FlowForce Server.
intermediate.pem - This file includes all the intermediate certificates that you received from the certificate authority.

 

You can now enable SSL for FlowForce Server, FlowForce Web Server, and for the HTTP connection between them, as shown below:

 

Enabling SSL for FlowForce Web Server
Enabling SSL for FlowForce Server
Enabling SSL between FlowForce Web Server and FlowForce Server

© 2019 Altova GmbH