Signing SSL Certificates with a Certificate Authority
Before you can purchase SSL certificates from a trusted certificate authority (CA), you need a private key and a CSR (Certificate Signing Request). The private key must be stored securely and not disclosed to anyone; the CSR will be required by the certificate authority during the ordering process.
You can create the private key and the CSR using a tool that may already exist on your operating system (such as Keychain Access on Mac, openssl on Linux), or third party tools. This example makes use of the OpenSSL toolkit (https://www.openssl.org/). Note that OpenSSL is an open source library, and may need to be compiled before you can use it at the command line. The compilation and installation instructions for OpenSSL vary for each operating system and are outside of the scope of this documentation. On a Linux and Mac machine, it is likely that OpenSSL is already available; otherwise, you can install it or update it from the command line. You can quickly check if OpenSSL present by typing the command below (it displays the current OpenSSL version):
On Windows, you can either compile binaries from the official OpenSSL source code, or, alternatively, download a binary distribution that includes OpenSSL. See also https://www.openssl.org/community/binaries.html.
To obtain a signed SSL certificate:
1.Create the private key. The following OpenSSL command generates a key called flowforce.key that is 2048-bit in size (the minimum encryption strength normally accepted by a certification authority):
openssl genrsa -out flowforce.key 2048
•The private key must be in PEM (Privacy Enhanced Mail) format. The file extension of PEM files is usually .pem but it can also be .key, .cert, .cer, or .crt.
•In order for the private key to be usable in FlowForce, it must not be password protected, see Private Key Requirements.
•The private key must be stored securely.
2.Create a Certificate Signing Request (CSR) for the private key generated earlier. You will need the CSR when you purchase your SSL certificate, see the next step. The following OpenSSL command creates a CSR called myserver.csr for the key flowforce.key:
openssl req -new -nodes -key flowforce.key -out myserver.csr
When prompted, enter information about your organization, for example:
Country Name (2 letter code) [AU]: AT
State or Province Name (full name) [Some-State]: .
Locality Name (eg, city) : Vienna
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) : IT
Common Name (eg, YOUR name) : server.my.domain.com
Email Address : firstname.lastname@example.org
•For the field Common Name, make sure to enter the FQDN (fully qualified domain name) of the host machine where FlowForce Server runs.
•Leave the challenge password field empty when prompted.
3.Order the certificate from a certificate authority. During the ordering process, you will need to supply the CSR. To do this, open myserver.csr in a text editor such as Notepad, copy its contents to clipboard, and then paste it into the online order form.
4.Once the certificate authority validates your company, they will provide to you the purchased certificate and the so-called "intermediary" certificates. Copy-paste the content of all the intermediary certificates into one file, as shown in Preparing Intermediary Certificates.
If you followed the steps above, you must have by now the following certificates and keys:
•flowforce.key - This private key accompanies the certificate used by FlowForce.
•certificate.crt (the file extension may vary) - This is your purchased certificate that encrypts the connection between a browser and FlowForce Web Server, or the connection between a client application that connects to a Web service exposed by FlowForce Server.
•intermediate.pem - This file includes all the intermediate certificates that you received from the certificate authority.
You can now enable SSL for FlowForce Server, FlowForce Web Server, and for the HTTP connection between them, as shown below: