Set Up SSL Encryption
If you require that communications between your MobileTogether Server and MobileTogether Client devices are encrypted using the SSL protocol, you will need to:
•Generate an SSL private key and create an SSL public key certificate file
•Set up MobileTogether Server for SSL communication.
The steps to do this are listed below.
MobileTogether uses the open-source OpenSSL toolkit to manage SSL encryption. The steps listed below, therefore, need to be carried out on a computer on which OpenSSL is available. OpenSSL typically comes pre-installed on most Linux distributions and on macOS machines. It can also be installed on Windows computers. For download links to installer binaries, see the OpenSSL Wiki.
SSL requires that a private key is installed on MobileTogether Server. This private key will be used to encrypt all data sent to MobileTogether Client apps. To create the private key, use the following OpenSSL command: openssl genrsa -out private.key 2048
This creates a file called private.key, which contains your private key. Note where you save the file. You will need the private key for the following: (i) to generate the Certificate Signing Request (CSR), see Step 2 below; (ii) to be installed on MobileTogether Server (see Step 8 below).
|
2.Certificate Signing Requests (CSRs)
A Certificate Signing Request (CSR) is sent to a certificate authority (CA), such as DigiCert or Thawte, to request a public key certificate. The CSR is based on your private key (obtained in Step 1 above) and contains information about your organization. Create a CSR with the following OpenSSL command (which provides, as one of its parameters, the private-key file, private.key, that was created in Step 1): openssl req -new -nodes -key private.key -out my.csr
During generation of the CSR you will need to give information about your organization, such as that listed below. This information will be used by the certificate authority to verify your company's identity.
•Country •Locality (the city where your business is located) •Organization (your company name). Do not use special characters; these will invalidate your certificate •Common Name (the DNS name of your server). This must exactly match your server's official name, that is, the DNS name client apps will use to connect to the server •A challenge password. Keep this entry blank!
|
Purchase an SSL certificate from a recognized certificate authority (CA), such as DigiCert or Thawte. For the rest of these instructions, we follow the DigiCert procedure. The procedure with other CAs is similar.
•Go to the DigiCert website. •Buy an SSL certificate. Different types of SSL certificates are available. For MobileTogether Server, Basic SSL or Secure Site SSL certificates are sufficient. EV (extended verification) is not necessary, since there is no "green address bar" for users to see in MobileTogether Server. •Proceed through the sign-up process, and fill in the information required to place your order. •When prompted for the CSR (created in Step 2), copy and paste the content of the my.csr file into the order form. •Pay for the certificate with your credit card.
|
Your certificate authority will complete the enrollment process over the next two to three business days. During this time you might get emails or phone calls to check whether you are authorized to request an SSL certificate for your DNS domain. Please work with the authority to complete the process.
After the authorization and enrollment process has been completed, you will get an email containing the public key of your SSL certificate. The public key will be in plain text form or attached as a .pem file or .cer file.
|
For use with MobileTogether Server, the public key must be saved in a .pem file. If the public key was supplied as text, copy-paste all the lines from
--BEGIN CERTIFICATE-- ... --END CERTIFICATE--
into a text file that we will call mycertificate.pem.
|
6.Save CA's intermediate certificate/s to file
To complete your SSL certificate, you will need two additional certificates: the primary and secondary intermediate certificates. Your certificate authority (CA) will either list content of intermediate certificates on its website or it will enable you to download the certificates. In some cases, there will be only one intermediate certificate. If you are given an option regarding the format of the file, choose the .pem format, which is a Base64-encoded format.
Copy-paste both intermediate certificates (primary and secondary) into separate text files and save them on your computer. Alternatively, if you have only one intermediate certificate, save this to a single file.
|
7.Combine certificates in one public key certificate file
You now have three certificate files:
•Public key (mycertificate.pem), created in Step 5. •Secondary intermediate certificate, obtaiined in Step 6. •Primary intermediate certificate, obtaiined in Step 6.
Note: Alternatively, you might have only one intermediate certificate file.
Each file contains text blocks bracketed by lines that look like this: --BEGIN CERTIFICATE-- ... --END CERTIFICATE--
Now copy-paste all three (or two) certificates into one file so that they are in sequence. The order of the sequence is important: (i) public key, (ii) secondary intermediate certificate, (iii) primary intermediate certificate. Ensure that there are no lines between certificates. --BEGIN CERTIFICATE-- public key from mycertificate.pem (see Step 5) --END CERTIFICATE-- --BEGIN CERTIFICATE-- secondary intermediate certificate (see Step 6) --END CERTIFICATE-- --BEGIN CERTIFICATE-- primary intermediate certificate (see Step 6) --END CERTIFICATE--
Save the resulting combined certificate text to a file named publickey.pem. This is the public key certificate file of your SSL certificate. It includes your public key certificate as well as the complete chain of trust in the form of the intermediate certificate/s that were used by the CA to sign your certificate. The public key certificate file will be installed on MobileTogether Server together with the private key (see Step 8).
|
8.Install SSL certificate on MobileTogether Server
The SSL certificate is a set of certificates that are saved in the following files:
•private.key: Contains the private key certificate •publickey.pem: Contains the public key certificate and the CA's intermediate certificate/s (see Step 7)
To install the SSL certificates on MobileTogether Server, do the following:
•Log in to the MobileTogether Server UI (by default on port 8085 of your server). •Go to the Settings tab. •Under SSL Certificates (see screenshot below), upload the two certificate files. οFor the private key, select private.key (created in Step 1) οFor the certificate, select publickey.pem (created in Step 7)
•Click Save at the bottom of the General Settings section to save your changes.
|
After installing the SSL certificate, you can specify a server port for SSL client communication. Do this as follows:
•Log in to the MobileTogether Server UI (by default on port 8085 of your server). •Go to the Settings tab. •Under Mobile Client Ports (see screenshot below), enable and specify the HTTPS port. Make sure that any firewall is set up to allow access to MobileTogether Server through the HTTPS port.
|
You can now use any SSL testing tool to check whether secure communication with your server via HTTPS is working properly. This will tell you: (i) whether the public key certificate file was properly constructed with the intermediate trust chain in Step 7, and (ii) whether your server can be reached properly through the firewall.
|
11.Enable MobileTogether Clients to use SSL
In MobileTogether Client apps that communicate with an SSL-enabled MobileTogether Server, enable SSL communication by checking the SSL Encryption checkbox. See the MobileTogether Client documentation for information about how to find this check box.
|