Watch, Follow, &
Connect with Us

For forums, blogs and more please visit our
Developer Tools Community.


Welcome, Guest
Guest Settings
Help

Thread: couple basic SSL questions


This question is answered. Helpful answers available: 2. Correct answers available: 1.


Permlink Replies: 7 - Last Post: Mar 8, 2017 12:01 PM Last Post By: S. Mahaux
Chisolm Wilson

Posts: 25
Registered: 2/26/05
couple basic SSL questions  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 19, 2017 8:42 AM
Hi,
Im likely going to be upgrading to IW Ultimate soon, and dive into SSL.
Couple questions:

Does my server have to have its own specific domain name in order to install an SSL certificate? Its hosted on Rackspace...it has its own dedicated IP address but not its own domain name. (I do, however, have a subdomain pointed at the server, using a DNS 'A record'. i.e. weblogin.mydomain.com ...)

Like most things Intraweb, I assume there are no instructions/documentation for using IW+SSL, and that I have to just look around in this forum? (for helpful tips from the likes of Daniel and others... ?) Yes, I hear there is a demo, but I also hear it doesn't work, so I think I'll pass on that.

So once I get the certif installed, its a fairly painless process to get the IW app running with SSL, right? (I hope so)

Thanks!
CW
Daniel Fields

Posts: 622
Registered: 11/29/04
Re: couple basic SSL questions  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 19, 2017 9:40 AM   in response to: Chisolm Wilson in response to: Chisolm Wilson
You can use SSL with a public IP address. Everything I have seen on this topic says that you have to use the IP address as the Common Name in your Certificate Signing Request. So make sure you specify that in the CRS or you will have to redo everything. I have never done it that way because the end-user has remember or bookmark that address. You would have to use something like https://123.456.78.99 to get to your application.

You might want to purchase a UCC certificate, which would allow you to secure up to 99 additional Subject Alternative Names (SANs) in a single certificate. With that you could cover the IP and the sub-domain in question.

Once you get the certificate installed it is very easy to implement in your application. You just go to the ServerController.SSLOptions. You set CertificatePassword, Port and SSLVersion properties. You then have to set your application's first form's ConnectionType to cmSecure. I usually do that with my splash screen (page). All pages that the user navigates to will remain secured unless you specifically turn off the security in code.

I have all of my applications hosted at Rackspace and my domains and SSL certificates are through Go Daddy.
Daniel Fields

Posts: 622
Registered: 11/29/04
Re: couple basic SSL questions  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 19, 2017 10:25 AM   in response to: Chisolm Wilson in response to: Chisolm Wilson
I'm sure you know there is more detail involved in the certificate request. Here are the steps that have worked best for me.

I. Generate a CSR. The link below is really detailed on each step of this process.
http://www.techrepublic.com/blog/how-do-i/how-do-i-request-and-install-ssl-certificates-in-iis-70/

II. Export a PFX file from your IIS server.

1. Run mmc.exe
2. Click the 'Console' menu and then click 'Add / Remove Snap-in'.
3. Click the 'Add' button and then choose the 'certificates' snap-in and click on 'Add'.
4. Select 'Computer Account' then click 'Next'.
5. Select 'Local Computer' and then click 'OK'.
6. Click 'Close' and then click 'OK'.
7. Expand the menu for 'Certificates' and click on the 'Personal' folder.
8. Right click on the certificate that you want to export and select 'All tasks' -> 'Export'.

A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file. From here you get cert.pem and key.pem files. I have to go back through my notes for the details on this step. I have not had to do this in a while. I'll update this step later.

III. Create root.pem

1. Open MMC and add the certificates snap-in.
2. Expand Console Root to
a. Intermediate Certificate Authorities
i. Certificates
3. Select "Go Daddy Secure Authority - G2".
a. Do not select the Go Daddy Root certificate!
4. Right-click and select Export
a. Select the Base 64 format
b. Save to root.crt

Rename root.crt to root.pem

IV. Install into your application

1. Copy root.pem, cert.pem and key.pem into the project folder for your application.
2. Go to ServerController and set the SSLOptions: CertificatePassword, Port and SSLVersion.
3. Set your application's main form ConnectionMode to cmSecure.

If you have IIS running on this server, you cannot use port 443 for your application because IIS is using it. You can use any other available port, like 8443.

Chisolm Wilson

Posts: 25
Registered: 2/26/05
Re: couple basic SSL questions  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 19, 2017 1:15 PM   in response to: Daniel Fields in response to: Daniel Fields
Thanks Daniel- big help. I'll try to follow these instructions as I get started.
In that techrepublic article, I assume I would just go through step 4, which is installing the certificate. But not into step 5, which is binding it with https into a specific 'site' ...because my 'site' isn't in IIS (its a stand alone IW app). Sound about right?

thanks,
Chisolm Wilson

Daniel Fields wrote:
I'm sure you know there is more detail involved in the certificate request. Here are the steps that have worked best for me.

I. Generate a CSR. The link below is really detailed on each step of this process.
http://www.techrepublic.com/blog/how-do-i/how-do-i-request-and-install-ssl-certificates-in-iis-70/

II. Export a PFX file from your IIS server.

1. Run mmc.exe
2. Click the 'Console' menu and then click 'Add / Remove Snap-in'.
3. Click the 'Add' button and then choose the 'certificates' snap-in and click on 'Add'.
4. Select 'Computer Account' then click 'Next'.
5. Select 'Local Computer' and then click 'OK'.
6. Click 'Close' and then click 'OK'.
7. Expand the menu for 'Certificates' and click on the 'Personal' folder.
8. Right click on the certificate that you want to export and select 'All tasks' -> 'Export'.

A wizard will appear. Make sure you check the box to include the private key and continue through with this wizard until you have a .PFX file. From here you get cert.pem and key.pem files. I have to go back through my notes for the details on this step. I have not had to do this in a while. I'll update this step later.

III. Create root.pem

1. Open MMC and add the certificates snap-in.
2. Expand Console Root to
a. Intermediate Certificate Authorities
i. Certificates
3. Select "Go Daddy Secure Authority - G2".
a. Do not select the Go Daddy Root certificate!
4. Right-click and select Export
a. Select the Base 64 format
b. Save to root.crt

Rename root.crt to root.pem

IV. Install into your application

1. Copy root.pem, cert.pem and key.pem into the project folder for your application.
2. Go to ServerController and set the SSLOptions: CertificatePassword, Port and SSLVersion.
3. Set your application's main form ConnectionMode to cmSecure.

If you have IIS running on this server, you cannot use port 443 for your application because IIS is using it. You can use any other available port, like 8443.

Daniel Fields

Posts: 622
Registered: 11/29/04
Re: couple basic SSL questions  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Jan 19, 2017 1:24 PM   in response to: Chisolm Wilson in response to: Chisolm Wilson
Exactly. I sometime only run IIS to get the certificate going, but still use alternate ports. I have also used ports 80 and 443 and turned IIS off all together. The fewer ports open, the less probing activity you will see.
S. Mahaux

Posts: 40
Registered: 4/4/02
Re: couple basic SSL questions  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Feb 7, 2017 12:46 PM   in response to: Chisolm Wilson in response to: Chisolm Wilson
Chisolm Wilson wrote:
[snip]
In that techrepublic article, I assume I would just go through step 4, which is installing the certificate. But not into step 5, which is binding it with https into a specific 'site' ...because my 'site' isn't in IIS (its a stand alone IW app). Sound about right?
[snip]

Just a clarification on that point...
if there is already a certificate on the server assigned to IIS and bound to the default site (in my case for RDP RemoteApp), then will I need a SECOND certificate for the IntraWeb app?
What about a 2nd/3rd IntraWeb app, will they each need their own certificates?

@Danield: Awesome & complete answer. You rock!

Thanks,
Stéphane

Edited by: S. Mahaux on Feb 7, 2017 12:48 PM

Edited by: S. Mahaux on Feb 7, 2017 12:50 PM
Chad Hower

Posts: 613
Registered: 3/2/07
Re: couple basic SSL questions [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Mar 3, 2017 12:29 PM   in response to: S. Mahaux in response to: S. Mahaux
On 2/7/2017 4:52 PM, S. Mahaux wrote:
Just a clarification on that point... if there is already a
certificate on the server assigned to IIS and bound to the default
site (in my case for RDP RemoteApp), then will I need a SECOND
certificate for the IntraWeb app? What about a 2nd/3rd IntraWeb app,
will they each need their own certificates?

Maybe.

The certs are bound to the domain name. So if they exist on the same
domain name - then you only need one cert.

For example, if we had 2 apps one at www.atozed.com/app1 and another at
www.atozed.com/app2, they would share the same cert.
S. Mahaux

Posts: 40
Registered: 4/4/02
Re: couple basic SSL questions [Edit]  
Click to report abuse...   Click to reply to this thread Reply
  Posted: Mar 8, 2017 12:01 PM   in response to: Chad Hower in response to: Chad Hower
Chad Hower wrote:
The certs are bound to the domain name. So if they exist on the same
domain name - then you only need one cert.

For example, if we had 2 apps one at www.atozed.com/app1 and another at
www.atozed.com/app2, they would share the same cert.

Thanks Chad.
Legend
Helpful Answer (5 pts)
Correct Answer (10 pts)

Server Response from: ETNAJIVE02