Enabling HTTPS Protocol for Web Servers

HTTPS is an HTTP protocol with encryption. HTTPS uses TLS (SSL) to encrypt normal HTTP requests and responses, making it more secure than HTTP. TLS uses public-key encryption, which is a method of encrypting data with two different keys – public and private keys

The response and request communications in DFMPro support https protocol between client and web server although the default mode of communication is set to http. One can enable https protocol for communication using the following steps.

HTTPS requires the TLS/SSL certificate files for every server. The TLS/SSL certificates must be validated by a certificate authority (CA). These certificates can also be self-signed for internal use.

The following steps elucidate how to generate a self-signed certificate using OpenSSL.

• . Download and install OpenSSL

1. Download and extract OPENSSL
   • Download openssl from the following URL : https://www.openssl.org/source/
   • Extract zip file
     • before executing any openssl command make sure we run it from location ‘openssl-3\x64\bin’ within extracted folder

2. Copy the file ‘ca-cert.csr.cnf’ present in certs folder to ‘openssl-3\x64\bin’
3. Set the path of openssl.cnf as a env var using following command :  “set OPENSSL_CONF=C:\Users\name\Downloads\openssl-3.0.5\openssl-3\ssl\openssl.cnf”.
4. File openssl.cnf can be found in folder ‘openssl-3\ssl’ inside the extracted openssl folder

• Create CA key and cert file

1. Open a Command Prompt application (cmd) and execute the following commands.

      openssl genrsa-out ca-cert.key 2048

      openssl req -x509 -new -nodes -key ca-cert.key -sha256 -days 3650 -out ca-cert.pem

2. The following mentioned fields will need to be populated on the console.

      Example with sample data:

• Country Name (2 letter code) [AU]: IN
• State or Province Name (full name) [Some-State]: MH
• Locality Name (e.g., city): Mumbai
• Organization Name (eg, company): ABC Pvt Ltd.
• Organizational Unit Name (e.g., section): PRODUCT1
• Common Name (e.g., server FQDN or YOUR name): SERVER1
• Email Address: OrgEmail@OrgName.com

• Create Server key

1. Open ca-cert.csr.cnf available in the Certs folder and fill in the required details.
2. Open a Command Prompt application (cmd) and execute the following command.

      openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config ca-cert.csr.cnf

• Create a Server cert file

1. Open file v3.ext in the Certs folder and fill in the required details.
2. Open a Command Prompt application (cmd) and execute the following command.

      openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-cert.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext

The following files will get generated using the above commands:

• ca-cert.pem: Self-signed CA certificates that need to be added to the Trusted Root Store of Client.
• crt, server.key: These are Server certificates and keys. It needs to be generated for every server separately. These files must be kept in the Certs folder in the Installed location.

P.S.: LOCATION OF CERTS FOLDER CAN DIFFER BASED ON THE APPLICATIONS, PLEASE REFER RESPECTIVE DOCUMENT FOR LOCATION OF THE FOLDER

• . Steps to install CA cert on client 

1. Win+R: Run >> MMC

2. In MMC window, Go to File >> Add/ Remove Snap-in

3. Choose Certificate and click on Add.

4. Choose Computer Account

5. Select Local Computer

6. Click on Finish, and then Ok on Add/ Remove Snap-ins window

7. In Certificates node, Go to Trusted Root Certification Authorities. Right click, All Tasks, Import.

8. Browse to ca-cert.pem

9. Select Place all certificates in following store, Next, and Finish.

10. CA certificate is now installed on Client machine. All Server certificates which are generated using this CA will be recognized.