Creating SSL/TLS certificate for using HTTPS
YSoft SafeQ Job Service and YSoft SafeQ Client v3 in Server mode require SSL/TLS certificate to secure the connection. You can use one of the following ways to create the certificate.
Creating a self-signed SSL/TLS certificate
You can create a self-signed SSL/TLS certificate in PKCS #12 format by using New-SelfSignedCertificate command in Powershell.
Self-signed certificates are not by default trusted by operating systems. If you really want to use a self-signed certificate, it must be imported into operating systems that contain applications, which are required to trust the certificate.
How to create a self-signed SSL/TLS certificate
Open Powershell.
In the following script, replace FQDN with the Fully Qualified Domain Name of your server (if you want to supply multiple FQDNs, separate them with commas).
New
-SelfSignedCertificate
-DnsName
FQDN
-CertStoreLocation
cert:\LocalMachine\My
Run the script (it will generate the self-signed certificate and import it into \LocalMachine\My certificate store.
Copy the Thumbprint of the generated certificate.
Create a password that will be used for the exported PKCS #12 certificate by running the following command (replace "123456" with your password!)
$CertPassword
=
ConvertTo-SecureString
-String
“123456”
-Force
–AsPlainText
Export the certificate from the certificate store by running the following command (replace "CertificateThumbprint" with the Thumbprint that you copied in step 4 and "C:\certificate.pfx" with the path where you want to export the certificate)
Export
-PfxCertificate
-Cert
cert:\LocalMachine\My\CertificateThumbprint
-FilePath
C:\certificate.pfx
-Password
$CertPassword
Requesting SSL/TLS certificate using Certificate Signing Request (CSR)
You can create a Certificate Signing Request using certreq tool in Windows. certreq requires a configuration file, which describes the requested certificate.
The generated Certificate Signing Request can be used to create and sign a certificate by the certificate authority. The entity that manages the certificate authority should send you back a certificate in PKCS #12 format (.pfx file).
How to create a Certificate Signing Request (CSR) with certreq tool
Store following configuration into the settings.inf file
certreq setting file[Version]
Signature=
"$Windows NT$"
[NewRequest]
Subject =
"CN=ServerFQDN; O=OrganizationName; L=Location; C=CountryCode"
; Replace ServerFQDN with the Fully Qualified Domain Name of the server where YSoft SafeQ services will be installed.
; Replace OrganizationName with the organization name
; Replace Location with the location
; Replace CountryCode with the ISO-
3166
-
2
Country Code https:
//en.wikipedia.org/wiki/ISO_3166-2
; Example:
"CN=safeq.ysoft.com; O=YSoft Corporation, a.s.; L=Brno; C=CZ"
X500NameFlags =
0x40000000
KeySpec =
1
KeyLength =
2048
; KeyLength is usually chosen from
2048
,
3072
, or
4096
.
HashAlgorithm = SHA256
; Algorithms earlier than SHA-
2
are not secure and should not be used.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName =
"Microsoft RSA SChannel Cryptographic Provider"
ProviderType =
12
RequestType = PKCS10
KeyUsage =
0xa0
[EnhancedKeyUsageExtension]
OID=
1.3
.
6.1
.
5.5
.
7.3
.
1
;
this
is
for
server TLS
; If you want to supply multiple Fully Qualified Domain Names, you can
do
it using Subject Alternatives Names in certificate
; To include those in the Certificate Signing Request, uncomment following lines(remove
'; '
from the beginning) and add every FQDN into separate
'_continue_'
record
;
; [Extensions]
;
2.5
.
29.17
=
"{text}"
; _continue_ =
"dns=FQDN1&"
; _continue_ =
"dns=FQDN2&"
; _continue_ =
"dns=FQDN3&"
Replace the value in Subject with your own values.
(optional) If you need to supply multiple FQDNs, you can do so by editing the [Extensions] section of the configuration. For more information see certreq | Microsoft Docs.
Run following command in Powershell. It will open a file picking dialog.
certreq
-new
Select the settings.inf file in the dialog.
Now, select a location where the Certificate Signing Request will be stored. You can store it e.g. as certificate.req file.