Conseal Server can serve its pages and support applications via secure HTTP (HTTPS). To enable this, you need to obtain a certificate and private key in the correct format, and then enable the HTTPS option. This page guides you through the process.
Part of the benefit of HTTPS is not only that it encrypts all communications, but also that it validates the identity of the server you're connecting to. This prevents an attacker from setting up his own server and claiming to be, for example, secure.consealsecurity.com.
The server proves its identity using a certificate which is obtained from a certifying authority such as VeriSign, Thawte or GlobalSign. If you do not already have a certificate, please contact one of these authorities (note: they are in no way affiliated with Conseal Security).
The certifying authority will guide you through the necessary steps, such as producing a private key and then a certificate signing request file. In all cases follow the steps needed to produce an HTTPS certificate (the same steps required to produce a certificate for any other web server such as Apache).
After obtaining a certificate, you should have 2 files: a certificate file and a private key. Conseal Server will need both.
The first step is to convert the certificate to the correct format. They are usually in PEM format but will need to be converted to DER. To determine whether it is in PEM format, view the certificate content. If it looks like this:
...then it is in PEM format. If it does not start with the BEGIN CERTIFICATE line, it is probably in DER format already and you should skip to the next section.
To convert the PEM format certificate to DER, run the following command (how to obtain 'openssl'):
openssl x509 -in cert.pem -inform PEM -out server.crt -outform DER
Replace "cert.pem" with the filename of your certificate. This will produce a file server.crt in the current directory.
As above, first determine the format of your private key file. If it is in PEM format, run the following command (how to obtain 'openssl'):
openssl pkcs8 -topk8 -nocrypt -in key.pem -inform PEM -out server.key -outform DER
Replace "key.pem" with the filename of your certificate. This will produce a file server.key in the current directory.
Simply copy the server.key and server.crt files produced above into the Conseal Server install directory, and restart Conseal Server. (In Linux, run
/etc/init.d/conseal restart. In Windows, open the service manager and restart the Conseal Server service).
Conseal Server will notice the new files and import them. Check its console log file for any errors.
The log line
Successfully added new key and certificate to store indicates success.
In the Admin page, check the HTTPS option, change the port to 443 (the default port for HTTPS) and click Submit Changes. Conseal Server will begin serving HTTPS data on port 443 (you will have to change the address in your browser).
Owing to the wide variety of types and formats of certificate, working with them can be difficult. We are here to help - just contact us if you are having difficulties.