Collect! Credit and Collection Software™

  Page Table of Contents Related 'How To' Tutorials

How To Setup Security Certificates

By default, Collect! can create a self-signed certificate. This allows you to create an encrypted connection immediately while you are going through the process of getting a certificate from a Trusted Authority. Self-signed certificates are viewed by web-browsers as insecure and should not be used as a permanent solution.

There are 3 main steps to creating an SSL certificate:

1. Create the RSA private key.

2. Create the signing request the binds the key to the certificate.

3. Create the SSL certificate.

Creating A Self-Signed SSL Certificate

Self-signed certificates are a quick way to get an encrypted connection, but the certificates will not be seen as trusted by web browsers. Follow this section, then refer to the next section on purchasing an certificate from a proper authority.

1. In Collect!, navigate to the System -> Network and Environment -> Security Certificates menu.

2. Fill in the Host to make cert for field with the name of the URL that web host will use (EX: client.yourdomain.com).

3. Fill in the State or province, Organization, Email, Country, and City fields and optionally the Company division field.

4. Set the Version x509 to be Version 3.

5. Set the Key size to be 2048.

6. Set the Generator output format to be Advanced Settings.

7. Click the Generate RSA Private Key button, then click OK.

8. Click the Generate Certificate Request button, then click OK.

9. Click the Sign Certificate Request button, then click OK.

This will create a self-signed certificate that you can now use to purchase a certificate from a certificate authority.

Top of page.

Purchasing An SSL Certificate From A Certificate Authority

There are several certificate authorities that provide certificates. The certificate authority that you choose and the type that you use is up to you.

1. Sign into your SSL vendor's application and purchase an SSL certificate.

2. When prompted or available, go to the section that allows you to configure the certificate.

3. If prompted, select the option that states "Outside Hosting." This option usually appears on vendors that also act as website providers like GoDaddy.

4. Open the webhost.req file with Windows© WordPad.

5. Copy the entire file.

6. Paste it into the Vendor's Certificate Signing Request (CSR) box, overwriting everything previously there.

7. If prompted, set the Server Type to Other.

8. Submit configuration.

The next step is to wait for the certificate. Depending on the authority or type of certificate, you may have to go through an approval process. Once done, you will either receive the certificate in an email or via the Vendor's application as a download.

Top of page.

Installing A Security Certificate

1. Obtain the certificate. If via email, skip to step 3. If via Vendor application, sign into the application and download the certificate file. If prompted, the server type is Other. You will usually receive a ZIP file containing the certificate and a BUNDLE or INTERMEDIATE certificate.

2. Extract the CRT files to your desktop.

3. Open the webhost.crt file with Windows© WordPad and delete the contents.

4. If via email, open the email. If via CRT file, open the main (non-bundle) certificate with Windows© WordPad.

5. Copy the Certificate from Beginning to End.

Useful Note Do not copy the Intermediate Certificate, if one is provided.

6. Paste the Certificate code into the webhost.crt and save the file.

7. Restart Web Host OR Apache, depending on which one acts as the primary web server.

Top of page.

Intermediate Certificates

These have a variety of names: Intermediate, Bundle, or Chain Certificates, but they all do the same thing - add a layer of security to your certificate.

Natively, web host does not support the intermediate certificate, so if you are using web host by itself, there is nothing more to do.

HOWEVER, if you have setup web host to work with Apache as per the help topic How To Setup Web Host With Apache, then you may need to update the intermediate certificate.

Even in Apache, the intermediate certificate (or chain certificate, as they call it) is optional, but recommended.

Here are the instructions for updating the Apache intermediate certificate, ASSUMING that you have set it up using the instructions in the above help topic.

1. Obtain the certificate. If via email, skip to step 3. If via Vendor application, sign into the application and download the certificate file. If prompted, the server type is Other. You will usually receive a ZIP file containing the main certificate and the BUNDLE or INTERMEDIATE certificate that you are looking for.

2. Extract the CRT files to your desktop.

3. Open the intermediate.crt file with Windows© WordPad and delete the contents.

4. If via email, open the email. If via CRT file, open the bundle (non-domain) certificate with Windows© WordPad.

5. Copy the Certificate from Beginning to End.

Useful Note Do not copy the Main Certificate that you used above. You are looking for the Intermediate one.

6. Paste the Certificate code into the intermediate.crt and save the file.

7. Restart Apache.

Top of page.

Using Letsencrypt To Automatically Create And Renew Certificates

If you want to have your SSL certificates automatically managed for free, you can use LetsEncrypt to maintain your certificates.

Prerequisites:

1. Web host has been setup as per: How To Setup Web Host

2. Apache has been setup as per: How To Setup Web Host With Apache

3. The domain name is properly setup with your DSN provider.

4. A valid Certificate Signing Request (CSR) file.

5. A valid Key file.

Useful Note You can use Collect! to generate the CSR with the Security Certificates menu as defined above under Creating a Self-Signed SSL Certificate.

Useful Note Our examples below will assume the CSR and key files are in the Collect\bin folder and that Wamp was installed at C:\wamp64.

1. Create a folder in the C:\wamp64\www folder called: .well-known

Useful Note Windows won't allow you to create the folder directly. Use can use the following in command prompt: mkdir C:\wamp64\www\.well-known

2. Open C:\wamp64\bin\Apache\Apache2.4.#\conf\httpd.conf and remove the Redirect / https://something.yourdomain.com/portal/ line from the bottom of the file.

3. Open C:\wamp64\bin\Apache\Apache2.4.#\conf\extras\httpd-vhosts.conf and add the following code below the last </Directory> and before the last </VirtualHost> tag.
<Directory "${INSTALL_DIR}/www/.well-known/">
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{REQUEST_URI} '!/.well-known/acme-challenge/'
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Useful Note For more experienced users, you can create a define for your domain name at the top of httpd.conf and reference it instead of hard-coded domain names. This would be useful here to replace %{SERVER_NAME} with ${DOMAIN_NAME} if you have aliases for you domain.

4. Restart Wamp.

5. Download latest release of win-acme from https://github.com/win-acme/win-acme/releases/. The links are at the bottom of the page. Pay attention to the link. You will need to select x64 or x86 depending on the version of Wamp you installed. All of our examples have been based on x64. The Pluggable versus the Trimmed does not matter. We don't use any plug-ins, so you can use the Trimmed, if you want.

6. Extract the zip to C:\win-acme (create the folder, if you dont' have it)

7. Run C:\win-acme\wacs.exe

8. Type M then Enter to create a certificate with full options.

9. Type 3 then Enter to use a CSR from another program.

10. Enter the path to the CSR file and hit Enter. EX: C:\Collect\bin\webhost.req

11. Enter the path to the Key file and hit Enter. EX: C:\Collect\bin\webhost.rsa

12. Hit Enter to accept the suggested friendly name retrieved from the CSR.

13. Type 1 then Enter to save the verification files on a network path.

14. Enter the path to the Wamp public folder. EX: C:\wamp64\www

15. Type N to not have the web.config file.

16. Type 2 then Enter to create PEM files.

17. Type the path that you want to save the PEM files and hit Enter. You can save them anywhere, but for simplicity, we recommend the Collect\bin folder. EX: C:\Collect\bin

18. Press 1 for None to the request for the password for the private key.

19. Type 5 then Enter to not save the files in any other Stores.

20. Type 4 then Enter to indicate no additional installation steps.

21. Type y or n if you wish to read the Terms of Service.

22. Type y to agree to the Terms.

23. Enter an email to be notified of abuse or leave blank and hit Enter.

24. Type n to specify a user.

25. Type Q then Enter to quit the win-acme application.

26. Navigate to the Collect\bin folder and make note of the PEM file names. Examples:
SSL Certificate File: yourdomain-crt.pem
SSL Key File: yourdomain-key.pem
SSL Certificate Chain File: yourdomain-chain.pem

27. Open C:\wamp64\bin\Apache\Apache2.4.#\conf\extras\httpd-ssl.conf and update the file names for the following variables: SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile

28. Restart Wamp.

Useful Note The win-acme application will automatically create a Task in the Windows Scheduler to renew the certificate periodically.

Top of page.

Was this page helpful? Do you have any comments on this document? Can we make it better? If so how may we improve this page.

Please click this link to send us your comments: helpinfo@collect.org