HTTP, HyperText Transfer Protocol, is an application protocol that web servers use for delivering content to web browsers. It focuses on how to transfer data from one place to another but it does not ensure that data seen at destination comes from the right place.
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the HTTP protocol that uses digital certificates to ensure that data is transmitted securely by using public-key cryptography.
The principal motivations for HTTPS are authentication of the accessed website, protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication. In practice, this provides a reasonable assurance that one is communicating without interference by attackers with the website that one intended to communicate with, as opposed to an impostor.
Transport Layer Security (TLS) and the now deprecated Secure Sockets Layer (SSL) are cryptographic protocols that secure communication between a web server and web browsers.
An HTTPS server that uses TLS or SSL protocols can work with certificates from these origins:
Self-signed certificates are easy to make and cost nothing. The problem with them is that browsers don't consider them safe and usually terminate the connection unless the user has disabled certificate checking.
A Certificate Authority charges money for issuing a TLS/SSL certificate. There are many companies that sell certificates but just a few are generally trusted.
You can use the keytool
program included in /bin
folder of MVDServer distributions to create a self-signed certificate.
Download the right distribution of MVDServer from MVDServer Home Page and
decompress it. Alternatively, download and install a JDK (Java Development Kit) from https://adoptopenjdk.net and adjust
the path to the /bin
directory.
From the directory where you decompressed MVDServer, execute the following command:
bin/keytool -genkey -keyalg RSA -alias selfSigned -keystore myKeystore.jks -storepass myPassword -validity 360 -keysize 2048
The command above creates a Java certificate store (a keystore) named
myKeystore.jks
, protected by password myPassword
.
keytool
will ask you several questions. When it asks your first name and
last name,
enter the domain name of the server where the certificate is being created and used. For example:
bin/keytool -genkey -keyalg RSA -alias selfSigned -keystore myKeystore.jks -storepass myPassword -validity 360 -keysize 2048 What is your first and last name? [Unknown]: www.mvdsoftware.com What is the name of your organizational unit? [Unknown]: Headquartes What is the name of your organization? [Unknown]: MVDSoftware What is the name of your City or Locality? [Unknown]: Montevideo What is the name of your State or Province? [Unknown]: Montevideo What is the two-letter country code for this unit? [Unknown]: UY Is CN=www.mvdsoftware.com, OU=Headquartes, O=MVDSoftware, L=Montevideo, ST=Montevideo, C=UY correct? [no]: yes
Once all questions are answered, a self-signed certificate valid for 360 days is added to the
keystore under the
selfSigned
alias.
Execute the following command when you need to retrieve the certificate from the keystore and use it independently:
bin/keytool -export -alias selfSigned -keystore myKeystore.jks -rfc -file myCertificate.cer
When keytool
asks for the keystore password, enter myPassword
.
The exported certificate saved in myCertificate.cer
will look like this:
-----BEGIN CERTIFICATE----- MIIDozCCAougAwIBAgIEWJIgwjANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMC VVkxEzARBgNVBAgTCk1vbnRldmlkZW8xEzARBgNVBAcTCk1vbnRldmlkZW8xFDAS BgNVBAoTC01WRFNvZnR3YXJlMRQwEgYDVQQLEwtIZWFkcXVhcnRlczEcMBoGA1UE AxMTd3d3Lm12ZHNvZnR3YXJlLmNvbTAeFw0xOTExMjExOTI4NTBaFw0yMDExMTUx OTDeNTBaMIGBMQswCQYDVQQGEwJVWTETMBEGA1UECBMKTW9udGV2aWRlbzETMBEG A1UEBxMKTW9udGV2aWRlbzEUMBIGA1UEChMLTVZEU29mdHdhcmUxFDASBgNVBAsT C0hlYWRxdWFydGVzMRwwGgYDVQQDExN3d3cubXZkc29mdHdhcmUuY29tMIIBIjAN BgkqhkiG9w0BAQEFEEOCAQ8AMIIBCgKCAQEAq1CCBvuScBLeGmIhdP9gx1YB+npO LI67n+ZNVaMX6LjxFynsyvhlzTvROju6GkNdotzoovzrPuiksqO2trkKtiIA6z3D pSWIiX0kOXB4nC52iwIRBasxNef+4d2RayO0k0IiPcSFYNDuNSOXhL74d9HCgygN fPBix62lsOs14k9g4k83spXnw9mnLwQ8uU4TmUkU7F4tnKLsUcf8KR47sJUWCXsa iIphJbJM9PuaPvCsAoBDTVfeBWvQ55ILxNU6zCJPABCBvuH/EpKZ1pPvIO5Shxuj jTHRz38EgDOwvAuqP8I5pCcF9hAHfkGprA4VZQVFiF6WXjCOUbY7ctDIFQIDAQAB oyEwHzAdBgNVHQ4EFgQU3V7Iwnm4MZNET/qQ3yaeytRCIHIwDQYJKoZIhvcNAQEL BQADggEBAGTdIglwYcci0lEg7pBoO7EnenI8H0sicviVNm1PtoAA9mGiQr4TEzXi M3zl+7jqcKWZZlRl6pLdh6d3wFjeKn1eqlf3sTbo7NLXHnboiTDAVsoq3C8r8ORW lfDvXN7N9VG7Ga8fN2Z8rv2O4ZBtFR7F6bYZ2zsK556oY9Fy2B0RgGrB6alVZWzr viyE1C8vhQ1yrHsYsOG321DMD0OeK5X/qqH6nEhCFwJYnIB8Z/lzSIgb8wvWbKC1 Fq7B2zjUv8/2XEtZVCuEP7MZWm0yPoHjs4vjQKdJytY3Bnsu9NCDzPVusXcaKHkP oty26g85pd4sbaB76h1sdRyGu6hdnZs= -----END CERTIFICATE-----
The procedure for obtaining a certificate from a Certificate Authority is similar to the method for generating a self-signed certificate explained above.
Download and decompress an MVDServer distribution from MVDServer Home Page or
install a JDK to obtain the keytool
program.
Using keytool
from MVDServer or a JDK, start by creating a keystore with this command:
bin/keytool -genkey -alias myServer -keyalg RSA -keysize 2048 -keystore myKeystore.jks -storepass myPassword
keytool
will make the same questions displayed in self-signed
certificate generation section.
Remember that when keytool
asks or first name and last name, you must enter the name of
the server where the certificate is being requested.
Next, generate a certificate request with this command:
bin/keytool -certreq -alias myServer -keyalg RSA -file myRequest.csr -keystore myKeystore.jks -storepass myPassword
The certificate request generated and saved in myRequest.csr
looks like this:
-----BEGIN NEW CERTIFICATE REQUEST----- MIIC+DCCAeACAQAwgYIxCzAJBgNVBAYTAlVZMRMwEQYDVQQIEwpNb250ZXZpZGVv MRMwEQYDVQQHEwpNb250ZXZpZGVvMRQwEgYDVQQKEwtNVkRTb2Z0d2FyZTEVMBMG A1UECxMMSGVhZHF1YXJ0ZXJzMRwwGgYDVQQDExN3d3cubXZkc29mdHdhcmUuY29t MIIBIjANBgkqhkiG9w0BAQEFABOCAQ8AMIIBCgKCAQEAhs7mhi1KyvP4WxIAeRcl zflqCeVcB3rQO9XdH2B0ny6E3UAbNBGizzdp2m/TMSxTpJ0Sw/2HM0wdU5+GA8as iJhokfPofCcTgl4Fqc86mUWY/midaPcTMuPMhteo/pnPz0Rz/ty7xmaLO+TGtLA9 SZD+12+jyJtTbn4xvn1xkOpXH3SL7HJsfJ+3IVCAUABnrHaTEjgAI3JezmciPPu2 aDP55XyURbA3LuSTgriJ9SFwxi1S/rFPfncZ3G6TExUowCnPhFItw2ZHoEWEz5hd 0SKXrXpDjTToHyQwJVNvS+addcXgqAXgNARF01rL7rNwJdY9rkcYc6feQmTI8TIU 6QIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQU2DcZ7jJ9yB/lqbC4 /MQOTbBGai8wDQYJKoZIhvcNAQELBQADggEBAEh7u0pHIgmTYWzqBs7wbMpDqTJL nJq1CsMLtqByuIJk7Hll1rfFtkubHAS0nGQvqP+WEYK5DWt0FqxdEkgL+00K4vjw LGAIRVZrHoGTjL/L/6pPFSPv/ciKegpPOzANDui0Ga/pftwmO5pwk5r/1nh9lLsR Faf9JvIzFC/4O6gMM5ZskN9fEsEMhfUtTG3KXYc0r2uS44XYVNAQlB1CIt119+9v 8WOqSnwjQI6JCyQv4uIVbjDSXYUZkyF5mZm4Yyxm2FNlppnqmTG/5zDiNIWdEdrB AnffaFqHGxFprP3GjGbIR1EcIi6mEs2KWRFgAUTFp/oTbKPgwl3a2lqq3p4= -----END NEW CERTIFICATE REQUEST-----
Send the file containing the certificate request (myRequest.csr
) to the
Certificate Authority that will sell you the signed certificate.
You will receive one or more certificates from your CA. If you get more than one file, it means that you have to import intermediate certificates into your keystore.
Use a command like this to import any intermediate certificate:
bin/keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore myKeystore.jks -storepass myPassword
Adjust as needed the alias
and file
parameter for each intermediate
certificate. It is usually safe to use the name of the intermediate certificate file as alias.
Finally, import your own certificate into the keystore with this command:
bin/keytool -import -trustcacerts -alias myServer -file myCertificate.crt -keystore myKeystore.jks -storepass myPassword
Notice that the import alias myServer
must match the alias used when generating the
certificate request.
If you are using MVDServer to host your web site, adjust the JSON configuration file with the location of your keystore and its password.