Setting up HTTPS

YSoft SafeQ Job Service and YSoft SafeQ Client v3 in Spooler mode can be configured to communicate over HTTPS.

Setting up YSoft SafeQ Job Service

There are three ways how to set up YSoft SafeQ Job Service to use HTTPS. You can either:

  1. Run the install script without providing a certificate, which will generate a self-signed certificate and use that. This self-signed certificate is automatically imported into the certificate store.

  2. Provide a PKCS #12 certificate with a private key (.pfx file) during installation.

  3. Install YSoft SafeQ Job Service without providing a certificate and later configure it to use a certificate from the certificate store.

Using self-signed certificate created automatically during installation

If you want to install YSoft SafeQ Job Service with a self-signed certificate that is generated during installation, you can do so by not providing HttpsCertificatePath and HttpsCertificatePassword during installation. For example by calling the following script

.\install.ps1 `
-SpocAddress SPOC_IP `
-NrgAddresses SITE_SERVER_1,SITE_SERVER_2,SITE_SERVER_3 `
-SigningCertificatePath "PATH_TO_SIGNING_CERTIFICATE" `
-SigningCertificatePassword SIGNING_CERTIFICATE_PASSWORD

Providing a PKCS #12 (.pfx file) during installation

You can provide the certificate by providing a path to .pfx file using HttpsCertificatePath and password using HttpsCertificatePassword.

.\install.ps1 `
-SpocAddress SPOC_IP `
-NrgAddresses SITE_SERVER_1,SITE_SERVER_2,SITE_SERVER_3 `
-SigningCertificatePath "PATH_TO_SIGNING_CERTIFICATE" `
-SigningCertificatePassword SIGNING_CERTIFICATE_PASSWORD `
-HttpsCertificatePath "PATH_TO_SSL_TLS_CERTIFICATE" `
-HttpsCertificatePassword SSL_TLS_CERTIFICATE_PASSWORD

Configuring YSoft SafeQ Job Service to use a certificate from the certificate store

Once you install YSoft SafeQ Job Service, it will either generate a self-signed certificate or use the one provided during installation and import it to the certificate store. If you want to reconfigure this certificate, you can do so by changing the HttpServerOptions:CertificateOptions section (see below) in the configuration file of the YSoft SafeQ Job Service (configuration/local.json).

{
...
"HttpServerOptions": {
"CertificateOptions": {
"Thumbprint": "CERTIFICATE THUMBPRINT",
"StoreName": "CERTIFICATE STORE NAME: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My, Root, TrustedPeople or TrustedPublisher",
"StoreLocation": "CERTIFICATE STORE LOCATION: CurrentUser or LocalMachine"
}
}
...
}

Setting up YSoft SafeQ Client v3 in Server mode

There are two ways how to set up YSoft SafeQ Client v3 in Server mode to use HTTPS. You can either provide a certificate during installation or you can reconfigure the certificate after installation.

Providing a certificate configuration during installation

You can provide the certificate location during installation by using HttpsCertificateStoreLocation, HttpsCertificateStoreName, HttpsCertificateThumbprint. See below.

.\install.ps1 `
-SiteServerHosts "localhost" `
-SpoolerMode "Server" `
-HttpsCertificateStoreLocation "LocalMachine" `
-HttpsCertificateStoreName "My" `
-HttpsCertificateThumbprint "2E69C921F3F417C176A299F1CC9A163FC925C019"

Configuring YSoft SafeQ Client v3 in Spooler mode to use a certificate from the certificate store after it was already installed

If you want to reconfigure YSoft SafeQ Client v3 in Spooler mode to use a different certificate than the one provided during installation, you can do so by changing the HttpServerOptions:CertificateOptions section (see below) in the configuration file of the YSoft SafeQ Client v3 in Spooler mode (versions/latest/configuration/local.json).

{
...
"HttpServerOptions": {
"CertificateOptions": {
"Thumbprint": "CERTIFICATE THUMBPRINT",
"StoreName": "CERTIFICATE STORE NAME: AddressBook, AuthRoot, CertificateAuthority, Disallowed, My, Root, TrustedPeople or TrustedPublisher",
"StoreLocation": "CERTIFICATE STORE LOCATION: CurrentUser or LocalMachine"
}
}
...
}