Altova FlowForce Server 2025 Advanced Edition

This demo shows you how to create self-signed SSL certificates for FlowForce Server running on a private network. Note that this demo is intentionally simplified and not suitable for use in production. Your organization will likely have specific security policies concerning SSL certificates and could use SSL tools other than the ones described below.

 

Creating self-signed SSL certificates involves the following procedures:

 

1.Creating a root certificate

2.Creating a FlowForce certificate

3.Importing the root certificate

 

For more information about each step, see the subsections below.

 

Prerequisites

This example makes use of the OpenSSL toolkit (https://www.openssl.org/) to generate self-signed certificates. Note that OpenSSL is an open source library and may need to be compiled before you can use it at the command line. The compilation and installation instructions for OpenSSL vary for each operating system. OpenSSL typically comes pre-installed on most Linux distributions and on macOS machines. You can quickly check if OpenSSL is installed by typing the command below (it displays the current OpenSSL version):

 

openssl version

 

OpenSSL can also be installed on Windows computers. For download links to installer binaries, see the OpenSSL Wiki.

 

Step 1: Create root certificate

The instructions below explain how to create a root certificate. The root certificate will be used to sign the server certificate (Step 2 below).

 

1.Create a directory that will store all certificates used in this demo (e.g., C:\secure). This will be the working directory for all subsequent OpenSSL commands. Then change to this directory from the command line:

 

cd C:\secure

 

2.For this demo, we will be issuing certificates with OpenSSL extensions. To make this possible, find the openssl.cnf file of your OpenSSL distribution and copy it to the working directory created in the previous step.

3.Create the root key that acts as your certificate authority's (CA) private key. Be aware that the root private key is the most sensible piece of your public key infrastructure, so it must always be generated and stored in a secure environment (in this demo, it is stored in C:\secure).

 

openssl genrsa -aes256 -out root.key 2048

 

When prompted, type a password to protect the root key. You will subsequently need this password to sign certificate requests.

 

4.Create the root certificate that is the public certificate of your certificate authority. The command below generates a self-signed certificate for the private key created above, with a validity of 3650 days. Notice that the -config parameter points to the openssl.cnf file in the same directory. The -extensions parameter refers to the v3_ca extension (section) defined in openssl.cnf.

 

openssl req -config openssl.cnf -extensions v3_ca -x509 -new -nodes -key root.key -sha256 -days 3650 -out root.pem

 

When prompted, enter information about your organization, for example:

 

Country Name (2 letter code) [AU]: AT

State or Province Name (full name) [Some-State]: .

Locality Name (eg, city) []: Vienna

Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd

Organizational Unit Name (eg, section) []: IT

Common Name (eg, YOUR name) []: Demo CA

Email Address []: test@example.org

 

You can fill in the required fields as applicable to your organization. For the Common Name field, enter the name of your self-signed certificate authority (Demo CA in this example).

 

Step 2: Create FlowForce certificate

The next step is to create the actual certificate that will be used for SSL encryption (by FlowForce Server, FlowForce Web Server, or both). The FlowForce certificate will be signed with the root certificate that was created in Step 1.4. Follow the instructions below:

 

1.Create the private key, using the OpenSSL command below. The private key accompanies your self-signed certificate used by FlowForce.

 

openssl genrsa -out flowforce.key 2048

 

The private key must be in PEM (Privacy Enhanced Mail) format. The file extension of PEM files is usually .pem, but it can also be .key, .cert, .cer, or .crt. In order for the private key to be usable in FlowForce, it must not be password-protected. The private key must be stored securely.

 

2.Open the working openssl.cnf file and add the following section to it:

 

[ server_cert ]
# Extensions for server certificates (`man x509v3_config`).
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName=DNS:server.my.domain.com

 

Make sure to change the subjectAltName (Subject Alternative Name) so that it corresponds to the FQDN (fully qualified domain name) of the machine where FlowForce Server runs. In this example, it is set to server.my.domain.com. Specifying a subject alternative name is required by Google Chrome 58 and later; otherwise, your self-signed certificate will generate a NET::ERR_CERT_COMMON_NAME_INVALID error (see the Chrome Help page).

 

3.Create a Certificate Signing Request (CSR), using the command shown below. Notice that the -config parameter points to the openssl.cnf file edited previously. The -extension parameter refers to the server_cert extension defined in openssl.cnf.

 

openssl req -config openssl.cnf -extensions server_cert -new -nodes -key flowforce.key -out flowforce.csr

 

4.When prompted, enter information about your organization, for example:

 

Country Name (2 letter code) [AU]: AT

State or Province Name (full name) [Some-State]: .

Locality Name (eg, city) []: Vienna

Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd

Organizational Unit Name (eg, section) []: IT

Common Name (eg, YOUR name) []: server.my.domain.com

Email Address []: test@example.org

 

For the Common Name field, make sure to enter the FQDN (fully qualified domain name) of the host machine where FlowForce Server runs. Leave the challenge password field empty when prompted.

 

5.Sign the FlowForce certificate with the root certificate. Note that, in a production environment, the root certificate does not normally sign server certificates directly; instead, intermediate certificates are used. The command below signs the flowforce.csr certificate request against the root certificate created previously and creates the flowforce.crt file (which is the server certificate required in FlowForce Server):

 

openssl x509 -extfile openssl.cnf -extensions server_cert -req -in flowforce.csr -CA root.pem -CAkey root.key -CAcreateserial -out flowforce.crt -days 365 -sha256

 

 

Summary

After taking Step 1 and Step 2, you must have the following certificates and keys:

 

root.key: This is your certificate authority's (CA) private key. Store this file in a secure place; if this key becomes compromised, then anyone can generate browser-trusted certificates on your behalf.

root.pem: This is the public certificate of your certificate authority. You will need to install (import) this certificate into the trusted certificates store of each machine (or browser) that needs to access FlowForce securely (Step 3 below).

flowforce.key: This private key accompanies your self-signed certificate used by FlowForce (see next item).

flowforce.crt: This is your self-signed certificate that will be used by FlowForce Server, FlowForce Web Server, or both.

 

Step 3: Import root certificate

When you create your own certificate authority (CA), the root certificate is self-signed; therefore, no browser will trust it by default. In order for an HTTP client (such as a browser) to trust your self-signed certificate, the certificate must be imported as follows:

 

Into the operating system's trusted certificate store if the browser uses it. On Windows, for example, Google Chrome and Microsoft Edge use the operating system's certificate store, while Mozilla Firefox uses its own store. On Linux, Google Chrome and Mozilla Firefox use their own certificate stores (see next point). On Mac, Safari uses the operating system's certificate store (Keychain Access).

Into the trusted certificates store of the browser itself.

 

Notes

 

The self-signed certificate must be imported for each client machine (or browser, if applicable) that will access FlowForce Server.

When you enable SSL encryption between FlowForce Web Server and FlowForce Server, it is not sufficient to import the certificate into the browser. Your self-signed root CA certificate must also be trusted by the operating system.

 

 

Depending on your operating system, the instructions on how to import the root certificate vary. For details, see the subsections below.

 

 

Next step

After taking Steps 1-3, you can now enable SSL for FlowForce Server, FlowForce Web Server, and for the HTTP connection between them, which is described in Step 7 of the section Set Up SSL Encryption.

 

© 2018-2024 Altova GmbH