How To Setup Security Certificates

By default, Collect! can create a self-signed certificate. This allows you to create an encrypted connection immediately while you are going through the process of getting a certificate from a Trusted Authority. Self-signed certificates are viewed by web-browsers as insecure and should not be used as a permanent solution.

There are 3 main steps to creating an SSL certificate:

1. Create the RSA private key.
2. Create the signing request the binds the key to the certificate.
3. Create the SSL certificate.

Creating A Self-Signed SSL Certificate

Self-signed certificates are a quick way to get an encrypted connection, but the certificates will not be seen as trusted by web browsers. Follow this section, then refer to the next section on purchasing an certificate from a proper authority.

1. In Collect!, navigate to the System -> Network and Environment -> Security Certificates menu.
2. Fill in the Host to make cert for field with the name of the URL that web host will use (EX: client.yourdomain.com).
3. Fill in the State or province, Organization, Email, Country, and City fields and optionally the Company division field.
4. Set the Version x509 to be Version 3.
5. Set the Key size to be 2048.
6. Set the Generator output format to be Advanced Settings.
7. Click the Generate RSA Private Key button, then click OK.
8. Click the Generate Certificate Request button, then click OK.
9. Click the Sign Certificate Request button, then click OK.

This will create a self-signed certificate that you can now use to purchase a certificate from a certificate authority.

Purchasing An SSL Certificate From A Certificate Authority

There are several certificate authorities that provide certificates. The certificate authority that you choose and the type that you use is up to you.

1. Sign into your SSL vendor's application and purchase an SSL certificate.
2. When prompted or available, go to the section that allows you to configure the certificate.
3. If prompted, select the option that states "Outside Hosting." This option usually appears on vendors that also act as website providers like GoDaddy.
4. Open the webhost.req file with Windows© WordPad.
5. Copy the entire file.
6. Paste it into the Vendor's Certificate Signing Request (CSR) box, overwriting everything previously there.
7. If prompted, set the Server Type to Other.
8. Submit configuration.

The next step is to wait for the certificate. Depending on the authority or type of certificate, you may have to go through an approval process. Once done, you will either receive the certificate in an email or via the Vendor's application as a download.

Installing A Security Certificate

1. Obtain the certificate. If via email, skip to step 3. If via Vendor application, sign into the application and download the certificate file. If prompted, the server type is Other. You will usually receive a ZIP file containing the certificate and a BUNDLE or INTERMEDIATE certificate.
2. Extract the CRT files to your desktop.
3. Open the webhost.crt file with Windows© WordPad and delete the contents.
4. If via email, open the email. If via CRT file, open the main (non-bundle) certificate with Windows© WordPad.
5. Copy the Certificate from Beginning to End.

Do not copy the Intermediate Certificate, if one is provided.

6. Paste the Certificate code into the webhost.crt and save the file.
7. Restart Web Host OR Apache, depending on which one acts as the primary web server.

Intermediate Certificates

These have a variety of names: Intermediate, Bundle, or Chain Certificates, but they all do the same thing - add a layer of security to your certificate.

Natively, web host does not support the intermediate certificate, so if you are using web host by itself, there is nothing more to do.

HOWEVER, if you have setup web host to work with Apache as per the help topic How To Setup Web Host With Apache, then you may need to update the intermediate certificate.

Even in Apache, the intermediate certificate (or chain certificate, as they call it) is optional, but recommended.

Here are the instructions for updating the Apache intermediate certificate, ASSUMING that you have set it up using the instructions in the above help topic.

1. Obtain the certificate. If via email, skip to step 3. If via Vendor application, sign into the application and download the certificate file. If prompted, the server type is Other. You will usually receive a ZIP file containing the main certificate and the BUNDLE or INTERMEDIATE certificate that you are looking for.
2. Extract the CRT files to your desktop.
3. Open the intermediate.crt file with Windows© WordPad and delete the contents.
4. If via email, open the email. If via CRT file, open the bundle (non-domain) certificate with Windows© WordPad.
5. Copy the Certificate from Beginning to End.

Do not copy the Main Certificate that you used above. You are looking for the Intermediate one.

6. Paste the Certificate code into the intermediate.crt and save the file.
7. Restart Apache.

Using Letsencrypt To Automatically Create And Renew Certificates

If you want to have your SSL certificates automatically managed for free, you can use LetsEncrypt to maintain your certificates.

Prerequisites

1. Web host has been setup as per: How To Setup Web Host
2. Apache has been setup as per: How to Setup Apache with Web Host

WARNING: If you already have Apache installed, go over the Help document above to ensure the files are configured properly.

3. The domain name is properly setup with your DSN provider.
4. A valid Certificate Signing Request (CSR) file.
5. A valid Key file.

You can use Collect! to generate the CSR with the Security Certificates menu as defined above under Creating a Self-Signed SSL Certificate.

Our examples below will assume the CSR and key files are in the Collect\bin folder and that Wamp was installed at C:\wamp64.

Using Win-Acme

1. Create a folder in the C:\wamp64\www folder called: .well-known

Windows won't allow you to create the folder directly. Use can use the following in command prompt:

mkdir C:\wamp64\www\.well-known
2. Download latest release of win-acme from https://github.com/win-acme/win-acme/releases/. The links are at the bottom of the page. Pay attention to the link. You will need to select x64 or x86 depending on the version of Wamp you installed. All of our examples have been based on x64. The Pluggable versus the Trimmed does not matter. We don't use any plug-ins, so you can use the Trimmed, if you want.
3. Extract the zip to C:\win-acme (create the folder, if you don't have it)
4. Run C:\win-acme\wacs.exe
5. Type M then Enter to create a certificate with full options.
6. Type 2 the Enter to manually enter a domain name.
7. Enter the domain name to create the certificate for.
8. Hit Enter to accept the suggested friendly name retrieved from the CSR.
9. Type 1 then Enter to save the verification files on a network path.
10. Enter the path to the Wamp public folder. EX: C:\wamp64\www
11. Type N to not have the web.config file.
12. Type 2 then Enter to select RSA key.
13. Type 2 then Enter to create PEM files.
14. Type the path that you want to save the PEM files and hit Enter. You can save them anywhere, but for simplicity, we recommend the Collect\bin folder. EX: C:\Collect\bin
15. Press 1 for None to the request for the password for the private key.
16. Type 5 then Enter to not save the files in any other Stores.
17. Type 3 then Enter to indicate no additional installation steps.
18. Type y or n if you wish to read the Terms of Service.
19. Type y to agree to the Terms.
20. Enter an email to be notified of abuse or leave blank and hit Enter.
21. Type n to specify a user.
22. Type Q then Enter to quit the win-acme application.
23. Navigate to the Collect\bin folder and make note of the PEM file names. Examples:
    SSL Certificate File: yourdomain-crt.pem
    SSL Key File: yourdomain-key.pem
    SSL Certificate Chain File: yourdomain-chain.pem
24. Open C:\wamp64\bin\Apache\Apache2.4.#\conf\extras\httpd-ssl.conf and update the file names for the following variables: SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile
25. Restart Wamp.
26. Repeat for any other certificates that you have to setup.

The win-acme application will automatically create a Task in the Windows Scheduler to renew the certificate periodically.

If you are using multiple domains (EX: client, dashboard, portal, api, etc.), you can create multiple virtual hosts, multiple CSR files, and run the wacs.exe file for each domain. Alternatively, advanced users of Win-Acme can create wildcard certificates.