How To Setup Security Certificates
By default, Collect! can create a self-signed certificate. This allows you to create an
encrypted connection immediately while you are going through the process of getting a
certificate from a Trusted Authority. Self-signed certificates are viewed by web-browsers
as insecure and should not be used as a permanent solution.
There are 3 main steps to creating an SSL certificate:
1. Create the RSA private key.
2. Create the signing request the binds the key to the certificate.
3. Create the SSL certificate.
Creating A Self-Signed SSL Certificate
Self-signed certificates are a quick way to get an encrypted connection, but the certificates will not be seen
as trusted by web browsers. Follow this section, then refer to the next section on purchasing an certificate from
a proper authority.
1. In Collect!, navigate to the System -> Network and Environment -> Security Certificates menu.
2. Fill in the Host to make cert for field with the name of the URL that web host will use (EX: client.yourdomain.com).
3. Fill in the State or province, Organization, Email, Country, and City fields and optionally the Company division field.
4. Set the Version x509 to be Version 3.
5. Set the Key size to be 2048.
6. Set the Generator output format to be Advanced Settings.
7. Click the Generate RSA Private Key button, then click OK.
8. Click the Generate Certificate Request button, then click OK.
9. Click the Sign Certificate Request button, then click OK.
This will create a self-signed certificate that you can now use to purchase a certificate from a certificate authority.
Purchasing An SSL Certificate From A Certificate Authority
There are several certificate authorities that provide certificates. The certificate authority that you choose and the
type that you use is up to you.
1. Sign into your SSL vendor's application and purchase an SSL certificate.
2. When prompted or available, go to the section that allows you to configure the certificate.
3. If prompted, select the option that states "Outside Hosting." This option usually appears on vendors that also act
as website providers like GoDaddy.
4. Open the webhost.req file with Windows© WordPad.
5. Copy the entire file.
6. Paste it into the Vendor's Certificate Signing Request (CSR) box, overwriting everything previously there.
7. If prompted, set the Server Type to Other.
8. Submit configuration.
The next step is to wait for the certificate. Depending on the authority or type of certificate, you may have to go
through an approval process. Once done, you will either receive the certificate in an email or via the Vendor's application
as a download.
Installing A Security Certificate
1. Obtain the certificate. If via email, skip to step 3. If via Vendor application, sign into the application and
download the certificate file. If prompted, the server type is Other. You will usually receive a ZIP file containing
the certificate and a BUNDLE or INTERMEDIATE certificate.
2. Extract the CRT files to your desktop.
3. Open the webhost.crt file with Windows© WordPad and delete the contents.
4. If via email, open the email. If via CRT file, open the main (non-bundle) certificate with Windows© WordPad.
5. Copy the Certificate from Beginning to End.
Do not copy the Intermediate Certificate, if one is provided.
6. Paste the Certificate code into the webhost.crt and save the file.
7. Restart Web Host OR Apache, depending on which one acts as the primary web server.
Intermediate Certificates
These have a variety of names: Intermediate, Bundle, or Chain Certificates, but they all do the same
thing - add a layer of security to your certificate.
Natively, web host does not support the intermediate certificate, so if you are using web host by
itself, there is nothing more to do.
HOWEVER, if you have setup web host to work with Apache as per the help topic How To Setup Web Host With Apache,
then you may need to update the intermediate certificate.
Even in Apache, the intermediate certificate (or chain certificate, as they call it) is optional, but recommended.
Here are the instructions for updating the Apache intermediate certificate, ASSUMING that you have set it up using the
instructions in the above help topic.
1. Obtain the certificate. If via email, skip to step 3. If via Vendor application, sign into the application and
download the certificate file. If prompted, the server type is Other. You will usually receive a ZIP file containing
the main certificate and the BUNDLE or INTERMEDIATE certificate that you are looking for.
2. Extract the CRT files to your desktop.
3. Open the intermediate.crt file with Windows© WordPad and delete the contents.
4. If via email, open the email. If via CRT file, open the bundle (non-domain) certificate with Windows© WordPad.
5. Copy the Certificate from Beginning to End.
Do not copy the Main Certificate that you used above. You are looking for the Intermediate one.
6. Paste the Certificate code into the intermediate.crt and save the file.
7. Restart Apache.
Using Letsencrypt To Automatically Create And Renew Certificates
If you want to have your SSL certificates automatically managed for free, you can use LetsEncrypt to maintain your
certificates.
Prerequisites:
1. Web host has been setup as per: How To Setup Web Host
2. Apache has been setup as per: How To Setup Web Host With Apache
3. The domain name is properly setup with your DSN provider.
4. A valid Certificate Signing Request (CSR) file.
5. A valid Key file.
You can use Collect! to generate the CSR with the Security Certificates menu as defined above
under Creating a Self-Signed SSL Certificate.
Our examples below will assume the CSR and key files are in the Collect\bin folder and that
Wamp was installed at C:\wamp64.
1. Create a folder in the C:\wamp64\www folder called: .well-known
Windows won't allow you to create the folder directly. Use can use the following in
command prompt: mkdir C:\wamp64\www\.well-known
2. Open C:\wamp64\bin\Apache\Apache2.4.#\conf\httpd.conf and remove the
Redirect / https://something.yourdomain.com/portal/ line from the bottom of the file.
3. Open C:\wamp64\bin\Apache\Apache2.4.#\conf\extras\httpd-vhosts.conf and add the following code
below the last </Directory> and before the last </VirtualHost> tag.
<Directory "${INSTALL_DIR}/www/.well-known/">
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{REQUEST_URI} '!/.well-known/acme-challenge/'
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
For more experienced users, you can create a define for your domain name at the top of
httpd.conf and reference it instead of hard-coded domain names. This would be useful
here to replace %{SERVER_NAME} with ${DOMAIN_NAME} if you have aliases for you domain.
4. Restart Wamp.
5. Download latest release of win-acme from https://github.com/win-acme/win-acme/releases/. The links are at the bottom
of the page. Pay attention to the link. You will need to select x64 or x86 depending on the version
of Wamp you installed. All of our examples have been based on x64. The Pluggable versus the Trimmed
does not matter. We don't use any plug-ins, so you can use the Trimmed, if you want.
6. Extract the zip to C:\win-acme (create the folder, if you dont' have it)
7. Run C:\win-acme\wacs.exe
8. Type M then Enter to create a certificate with full options.
9. Type 3 then Enter to use a CSR from another program.
10. Enter the path to the CSR file and hit Enter. EX: C:\Collect\bin\webhost.req
11. Enter the path to the Key file and hit Enter. EX: C:\Collect\bin\webhost.rsa
12. Hit Enter to accept the suggested friendly name retrieved from the CSR.
13. Type 1 then Enter to save the verification files on a network path.
14. Enter the path to the Wamp public folder. EX: C:\wamp64\www
15. Type N to not have the web.config file.
16. Type 2 then Enter to create PEM files.
17. Type the path that you want to save the PEM files and hit Enter. You can save them anywhere, but
for simplicity, we recommend the Collect\bin folder. EX: C:\Collect\bin
18. Press 1 for None to the request for the password for the private key.
19. Type 5 then Enter to not save the files in any other Stores.
20. Type 4 then Enter to indicate no additional installation steps.
21. Type y or n if you wish to read the Terms of Service.
22. Type y to agree to the Terms.
23. Enter an email to be notified of abuse or leave blank and hit Enter.
24. Type n to specify a user.
25. Type Q then Enter to quit the win-acme application.
26. Navigate to the Collect\bin folder and make note of the PEM file names. Examples:
SSL Certificate File: yourdomain-crt.pem
SSL Key File: yourdomain-key.pem
SSL Certificate Chain File: yourdomain-chain.pem
27. Open C:\wamp64\bin\Apache\Apache2.4.#\conf\extras\httpd-ssl.conf and update the file names for the
following variables: SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile
28. Restart Wamp.
The win-acme application will automatically create a Task in the Windows Scheduler to
renew the certificate periodically.
|
Was this page helpful? Do you have any comments on this document? Can we make it better? If so how may we improve this page.
Please click this link to send us your comments: helpinfo@collect.org