Server Certificates
The Server Certificates view provides for the management of X509 certificates used for HTTPS connections. Three types of certificate resources may be managed:
- Certificate Signing Requests - A Certificate Signing Requests (CSR) is a request for a new certificate which will be forwarded to a Certificate Authority (CA) for signing. The CSR contains the identity parameters for the new certificate.
- Server Certificates - Server Certificates are X509 certificates that have been signed by a trusted Certificate Authority. When a CSR is submitted to a CA, a signed certificate is returned and installed in LightWave Server. Server Certificates may be used to configure HTTPS Ports by specifying the certificate Common Name (CN) in the Port configuration.
- Intermediate Certificates - Intermediate Certificates are certificates that help establish the trust chain between a Server Certificate and the CA that signed it. Intermediate Certificates, if necessary, are supplied by the CA.
The process of requesting a new certificate and installing it in the server is as follows:
- Create a Certificate Signing Request
- Submit the CSR to a Certificate Authority for signing
- The CA will optionally verify the identity information in the CSR and generate a signed certificate.
- The CA will return the signed certificate with any necessary Intermediate Certificates
- The signed certificate and Intermediate Certificates are installed.
- The certificate my now be used to configure HTTPS ports.
A trusted HTTPS connection requires a Server Certificate signed by a recognized Certificate Authority. For testing purposes, LightWave Server provides for generation of self signed certificates which are immediately valid for use as Server Certificates. You may also use free Certificate Signing services such as getaCert to test the certificate signing process. Although useful for testing, these certificates will result in certificates verification errors when used and should never be used for production service.
Create a Certificate Signing Request
Begin the CSR creation process by selecting theicon in the Certificate Signing Requests toolbar. Complete the dialog with identity values that are valid for your organization.
Common Name | Enter the fully qualified host name of your server, for example, www.example.com |
Alternate Host Names | Enter a comma separated list of alternate host names for your server. Note that your CA may not support this feature. |
Country Code | Select country from the drop down list. |
State or Province | Enter the state or province of your organization. Abbreviations should be avoided. |
City | Enter the locality name of your organization. |
Organization | Enter the name of your organization. This field is optional |
Organizational | Enter the name of the unit within your organization. This field is optional |
Select the self signed certificate option if you wish to generate and install a self signed certificate. When the Create button is selected the new CSR or self-signed certificate is displayed. If a CSR was created, you may select and copy the CSR content from the display, or download the CSR as a file by selecting theicon. The CSR may now be forwarded to your Certificate Authority. Note that LightWave Server only supports PEM (base64 encoded) format certificates.
Install the Signed Certificate
To install the signed certificate returned by the CA, open the associated CSR and select theicon. Paste the entire content of the signed certificate into the PEM Format Certificate field and select Install. The cerificate will be installed and displayed and the CSR will be removed.
Install Intermediate Certificates
If your CA provides Intermediate Certificates, they may be installed by selecting theicon in the Intermediate Certificates toolbar. Paste the entire content of the Intermediate Certificate(s) into the PEM Format Certificate field and select Install. Multiple certificates may be installed at once. LightWave Server determines the application and correct order of the Intermediate Certificates so the certificates may be installed in any order.
Using Certificates
Once installed, a certificate may be used to enable the HTTPS protocol on LightWave SERVER console and/or service ports. The ports must be configured at SERVER startup. Use the Common Name (see above) when specifying the port. See SERVER Command Line Options for more information about configuring TCP/IP ports.
tacl> run server --console-ports 80 443:www.example.com --service-ports 8080 8443:www.example.com