Manual / Installation / Using HTTPS / Installing certificates

Conseal Server can serve its pages and support applications via secure HTTP (HTTPS). To enable this, you need to obtain a certificate and private key in the correct format, and then enable the HTTPS option. This page guides you through the process.

Server Identity Validation

Part of the benefit of HTTPS is not only that it encrypts all communications, but also that it validates the identity of the server you're connecting to. This prevents an attacker from setting up his own server and claiming to be, for example, secure.consealsecurity.com.

The server proves its identity using a certificate which is obtained from a certifying authority such as VeriSign, Thawte or GlobalSign. If you do not already have a certificate, please contact one of these authorities (note: they are in no way affiliated with Conseal Security).

The certifying authority will guide you through the necessary steps, such as producing a private key and then a certificate signing request file. In all cases follow the steps needed to produce an HTTPS certificate (the same steps required to produce a certificate for any other web server such as Apache).

Converting the Certificate Format

After obtaining a certificate, you should have 2 files: a certificate file and a private key. Conseal Server will need both.

The first step is to convert the certificate to the correct format. They are usually in PEM format but will need to be converted to DER. To determine whether it is in PEM format, view the certificate content. If it looks like this:

-----BEGIN CERTIFICATE-----
PGgzPlNlcnZlciBJZGVudGl0eSBWYWxpZGF0aW9uPC9oMz4NCjxwPlBhcnQgb2Yg
dGhlIGJlbmVmaXQgb2YgSFRUUFMgaXMgbm90IG9ubHkgdGhhdCBpdCBlbmNyeXB0
cyBhbGwgY29tbXVuaWNhdGlvbnMsIGJ1dCBhbHNvIHRoYXQgaXQgdmFsaWRhdGVz
IHRoZSBpZGVudGl0eSBvZiB0aGUgc2VydmVyIHlvdSdyZSBjb25uZWN0aW5nIHRv
LiBUaGlzIHByZXZlbnRzIGFuIGF0dGFja2VyIGZyb20gc2V0dGluZyB1cCBoaXMg
...etc...
-----END CERTIFICATE-----

...then it is in PEM format. If it does not start with the BEGIN CERTIFICATE line, it is probably in DER format already and you should skip to the next section.

To convert the PEM format certificate to DER, run the following command (how to obtain 'openssl'):

openssl x509 -in cert.pem -inform PEM -out server.crt -outform DER

Replace "cert.pem" with the filename of your certificate. This will produce a file server.crt in the current directory.

Converting the Key Format

As above, first determine the format of your private key file. If it is in PEM format, run the following command (how to obtain 'openssl'):

openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out server.key -outform DER

Replace "key.pem" with the filename of your certificate. This will produce a file server.key in the current directory.

Installing the Certificate & Key

Simply copy the server.key and server.crt files produced above into the Conseal Server install directory, and restart Conseal Server. (In Linux, run /etc/init.d/conseal restart. In Windows, open the service manager and restart the Conseal Server service).

Conseal Server will notice the new files and import them. Check its console log file for any errors.

The log line Successfully added new key and certificate to store indicates success.

Set the 'HTTPS' Option

In the Admin page, check the HTTPS option, change the port to 443 (the default port for HTTPS) and click Submit Changes. Conseal Server will begin serving HTTPS data on port 443 (you will have to change the address in your browser).

Finally...

Owing to the wide variety of types and formats of certificate, working with them can be difficult. We are here to help - just contact us if you are having difficulties.

Contents

Frequently Asked Questions

Installation

Using Conseal Server

Conseal Server Concepts