Skip to content

HTTPS and SSL Certificates

Jump to bottom
Nicolas HILAIRE edited this page Nov 3, 2016 · 21 revisions

Available for version >= 1.0.1 Beta

HTTPS and SSL Certificates

You can activate SSL to use Yadoms using HTTPS instead of HTTP protocol.
<img src="images/https/HTTPS_icon.png" width=100px"/>
This operation allow you to encrypt all data between web clients and your server from passwords to your house information.

Create Self signed certificate

This certificate can be freely generated onto your computer and used as is. https://en.wikipedia.org/wiki/Self-signed_certificate

The main drawback of a self signed certificate is that all browser won't let you navigate onto the website until you have made an exception to allow this site. The securisation level of your self signed certificate and an official one is the same !

Online

You can freely generate self signed certificate online. For example you can use http://www.cert-depot.com/

Enter your common name and clic on "Get certificate". This name is embedded in the certificate

Enter all information you want (it is optionnal)

The "validity period" is in deys and when this period expires your certificate have to be re-generated.

The "PFX file password" has to be saved because you cannot retrieve it.

Clic on the button "Download KEY + PEM", it will make you download a zip file that contains to files:

  • xxxxxxx.public.pem : It is your certificate file. You have to set it into server.certificateFile section
  • xxxxxxx.private.pem : It is your private key file. You have to set it into server.privateKeyFile section

Extract these two files into your yadoms folder and fill the yadoms.ini file like that

[server]
useSSL=true

[openSSL]
;indicates the certificate file
server.certificateFile = ${application.configDir}/xxxxxxx.public.pem
;indicates that the key is provided using a file
server.privateKeyPassphraseHandler.name = KeyFileHandler
;indicates that the key file name
server.privateKeyFile = ${application.configDir}/xxxxxxx.private.pem
;indicates the password of the certificate
server.privateKeyPassphraseHandler.options.password = **password**
;indicates that there is no verification server side
server.verificationMode = none

Linux

This is the procedure to create certificate under Linux. A certificate generated with Linux works onto an other system like Windows.

  • Create a key file
$ openssl genrsa -des3 1024 > yadoms-server.key
Generating RSA private key, 1024 bit long modulus
..++++++
..............++++++
e is 65537 (0x10001)
Enter pass phrase: (password)
Verifying - Enter pass phrase: (password)

**Don't loose your password you can't retrieve it !**
  • Create a CA (Certification Authority) certificate file

This certificate will be used to sign your local certificate.

$ openssl req -new -x509 -days 365 -key yadoms-server.key > yadoms-server-ca.crt
Enter pass phrase for ca.key: (password)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:XX
State or Province Name (full name) [Some-State]:XXXXXXX
Locality Name (eg, city) []:XXXXXXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXXX
Organizational Unit Name (eg, section) []:XXXX
Common Name (e.g. server FQDN or YOUR name) []:(Common Name)
Email Address []:
  • Create a Certificate Signing Request (CSR) using the key file

The important information you will provide is the Common name. Save this information you will need to enter it into yadoms configuration file.

$ openssl req -new -key yadoms-server.key > yadoms-server.key
Enter pass phrase for yadoms-server.pem:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:XX
State or Province Name (full name) [Some-State]:XXXXXXXXXX
Locality Name (eg, city) []:XXXXXX
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXX
Organizational Unit Name (eg, section) []:XXX
Common Name (e.g. server FQDN or YOUR name) []:(CommonName)
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

This will generate your CSR file.

  • Sign your certificate request (CSR) with the CA certificate
$ openssl x509 -req -in yadoms-server.csr -out yadoms-server.crt -CA yadoms-server-ca.crt -CAkey yadoms-server.key -CAcreateserial -CAserial yadoms-server-ca.srl
Signature ok
subject=/C=XX/ST=XXXXXXXXXXXXX/L=XXXXXX/O=XXXX/OU=XXX/CN=commonName
Getting CA Private Key
Enter pass phrase for ca.key: (password)

This will generate your certificate under .crt extension.

Take the .crt file and the .key file and copy near yadoms executable.

Configuration

All job has to be done in configuration file. Open yadoms.ini and set useSSL parameter as true In openSSL section uncomment all options and fill right values:

  • server.certificateFile: Contains path to crt file
  • server.privateKeyPassphraseHandler.name: Common Name entered during the creation of the certificate
  • server.privateKeyFile: Key file used to create the certificate
  • server.privateKeyPassphraseHandler.options.password: Password entrered during the creation of the certificate
  • server.verificationMode: Verification mode of the client certificate if provided (set it to none)

Example

yadoms.ini

[server]
useSSL=true

[openSSL]
;indicates the certificate file
server.certificateFile = ${application.configDir}/server.crt
;indicates that the key is provided using a file
server.privateKeyPassphraseHandler.name = KeyFileHandler
;indicates that the key file name
server.privateKeyFile = ${application.configDir}/server.key
;indicates the password of the certificate
server.privateKeyPassphraseHandler.options.password = serverPass
;indicates that there is no verification server side
server.verificationMode = none

server.key

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,45F1BBE28D0641F6

97MFDDfjhhkdhdoJFDfjovfVC145ddfdff12VDvfVFGDFGFDvfdFDFo/Fgfvxb/R
khJrpmXHWBP6vplXpPYSsvxQEtH9NRaUPFwBYRaPVkDaSPbcnPcwTHY7iNaGQh9Q
O2Sm2UQuLljwHCkIo5+7SkDaat/FtrM5EDKiacnHiLdE+Bz5sqiCBKk36UxGeD+L
...
idO77yMvQAOXNFc956eCWJjXi2yrfTCtB3CpUGlZ1RFG3afBgrTb1hImT0nr1OIx
wylnBaVzRm7h57YveKY1NJV51PuNvlsHS4wMQTOIx9EjSkMk5VP5AQ2Ikjq1sazF
1d0fgf5445fgHJHGffgfg14fgGHJhTNGH2RVvQW2Ms7Aj6N9H62d45Aw==
-----END RSA PRIVATE KEY-----

server.crt

-----BEGIN CERTIFICATE-----
MIISDDCCAZcCCQCG+gKZ7iXT8DANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJG
UjELMAkGA1UECAwCUkgxDzANBgNVBAcMBlNveW9uczEMMAoGA1UECgwDTlNFMQsw
CQYDVQQLDAJCRTETMBEGA1UEAwwKZmlwc1NlcnZlcjAeFw0xNjA5MjYwOTU1MDFa
...
h8mEVD1Jv5OIvNppFyRXU1nGqdJVtRnDTAukywHr+9gMjymuVfGs8NYN4Lzp9YRX
E4ENdDFeWfg4gf5d6udMF4pRcYrlSXzIV546IuC1+EFDHv+cLKgAA==
-----END CERTIFICATE-----

Yadoms Yadoms -- The ultimate house automation solution

Clone this wiki locally