SSL certificates are small data files that digitally bind a cryptographic key to an organization's information. SSL certificates allow secure connections (i.e. https connections) between SAFR Servers and other applications, such as SAFR components (e.g. SAFR Desktop Clients, SAFR Mobile Clients, etc.) or third-party applications (e.g. web browsers).
usage: configure-ssl.py [-h] [-d] [-g] [-p] [-c] [-v] [-q] [-f]
SAFR Self-Signed SSL Certificate Tool
optional arguments: -h, –help show this help message and exit -d, –default-cert Reset to the factory default SSL certificate and key. -g, –generate-cert Generate a new SSL Self-Signed certificate and key. -p, –public-key Display the current SSL certificate's public key. -c, –config Only change certificates, do not stop or start services. -v, –verbose Enable DEBUG level logging. -q, –quiet Display only ERROR logs. -f, –force Override warnings.
SAFR Platform installations automatically include self-signed SSL certificates with the installed SAFR Server. Because all newly installed SAFR Platforms use the same default self-signed SSL certificates, these certificates only provide moderate security, at best. To achieve highly secure network communications, we recommend that you replace the default self-signed SSL certificates either with custom generated self-signed SSL certificates or with standard SSL certificates obtained from a trusted certificate authority.
SAFR Server ships with a python script, configure-ssl.py, which allows you to generate a unique self-signed SSL certificate. Do the following to generate and install the certificate:
python configure-ssl.py -g
Before you can install a standard SSL certificate (i.e. not self-signed) on your SAFR Server, you must first configure a Domain Name System (DNS) hostname for your server within your network domain.
In order to set up a DNS, you need a domain within which you can register hostnames. ICANN maintains a list of accredited registrars from which to choose.
The following is a list of common registrars:
Follow the processes on these websites to find, purchase, and configure your domain name. Most registrars offer the ability to host your DNS for you and most also give you a web interface for managing it.
The following links lead to instructions on how to modify DNS entries:
After you have your domain, you can create a DNS hostname entry for your SAFR Server.
DNS is a system that translates a hostname to a network IP address. For example, when a user types www.example.com
into their browser, DNS servers resolve it to the IP address where the website is hosted.
To provide this translation, DNS requires an entry for each hostname. This entry typically takes the form of an A record (the A stands for "Address") which defines the hostname to IP address translation in DNS. An A record is the most basic type of syntax used in DNS records.
The following is an example of an A record:
safr.example.com A 12.34.56.78
DNS can be managed in numerous ways. This might be a text file or a web interface for configuring the DNS entries. If you are not sure, contact the person managing the domain name for your network.
You should use a static IP address. If you instead choose to use DHCP to get a dynamically assigned IP address, and your IP address happens to change, your DNS hostname entry will stop working until you update the entry.
The IP address should be the internal IP address of the computer running the SAFR Server. This should not be your public IP address because the public IP address usually points at your router, modem, or similar device. The internal IP address is the IP used locally by the computer. It can be determined by doing the following:
For Windows 10
Open a command prompt (cmd.exe).
Run ipconfig.
The IP address is listed as the IPv4 Address.
For macOS
Open System Preferences.
Open Network.
Click the active network connection (usually WiFi or Ethernet).
The IP address is displayed in the dialog.
After you have configured a DNS hostname for your primary server, you can now install a standard (i.e. not self-signed) SSL certificate.
SSL certificates need to be issued from either a trusted certificate authority or from an accredited domain registrar.
Browsers, operating systems, and mobile devices maintain lists of trusted certificate authority root certificates, which must be present on a computer for it to trust the certificate.
The following is a list of popular certificate authorities from which you can obtain an SSL certificate:
Go to ICANN for a complete list of accredited domain registrars.
Because SAFR uses Apache as its web server, request SSL certificate files for Apache web server. You will receive the following three files SAFR uses to configure the Apache web server:
Do the following to configure Apache to serve the request over HTTPS:
Log in to your primary server.
It is recommended that you make a backup of the default SSL files and save them in case you need to perform a rollback to the earlier version.
/etc/apache2/ssl/SAFR.key
/etc/apache2/ssl/SAFR.crt
C:\Program Files\RealNetworks\SAFR\httpd\conf\ssl\SAFR.key
C:\Program Files\RealNetworks\SAFR\httpd\conf\ssl\SAFR.crt
/opt/RealNetworks/SAFR/httpd/ssl/SAFR.key
/opt/RealNetworks/SAFR/httpd/ssl/SAFR.crt
Upload the certificate-related files to the SSL certificate folder:
Private.a
key fileChange the names of the following files:
If your certificate authority provided an intermediate certificate chain, do the following:
/etc/apache2/ssl/SAFR-ca.crt
C:\Program Files\RealNetworks\SAFR\httpd\conf\ssl\SAFR-ca.crt
/opt/RealNetworks/SAFR/httpd/ssl/SAFR-ca.crt
SAFR-ssl-cert.inc
file to connect your SSL certificate to the certificate chain.
On macOS:
/etc/apache2/other/SAFR-ssl-cert.inc
#Define ssl_certificate_chain_file "/private/etc/apache2/ssl/SAFR-ca.crt"
On Windows:
C:\Program Files\RealNetworks\SAFR\httpd\conf\ssl\SAFR-ca.crt
#Define ssl_certificate_chain_file "conf/ssl/SAFR-ca.crt"
On Linux:
/opt/RealNetworks/SAFR/httpd/ssl/SAFR-ca.crt
#Define ssl_certificate_chain_file "/opt/RealNetworks/SAFR/httpd/ssl/SAFR-ca.crt"
Certificate file mappings
Certificate file | Certificate file in SAFR |
---|---|
*.domainname.key | SAFR.key |
*.domainname_chain.crt | SAFR-ca.crt |
*.domainname_public.crt | SAFR.crt |
Run the SAFR reconfigure script, as described below.
/Library/RealNetworks/SAFR/bin/reconfigure hostname.domain.com
"C:\Program Files\RealNetworks\SAFR\bin\reconfigure.bat"
Open a Terminal window. Run the following command after replacing hostname.domain.com with your hostname and domain:
/opt/RealNetworks/SAFR/bin/reconfigure hostname.domain.com
Click Yes when prompted by User Account Control.
Verify that your services are running and your SSL certificate is properly installed by opening a browser and opening https://hostname.domain.com:8085/health
. (Replace hostname.domain.com with your hostname and domain.)
You should receive the following message:
{ "status" : "up" }