MVDSoftware logo

TLS/SSL Certificates

HTTP, HyperText Transfer Protocol, is an application protocol that web servers use for delivering content to web browsers. It focuses on how to transfer data from one place to another but it does not ensure that data seen at destination comes from the right place.

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the HTTP protocol that uses digital certificates to ensure that data is transmitted securely by using public-key cryptography.

The principal motivations for HTTPS are authentication of the accessed website, protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks. The bidirectional encryption of communications between a client and server protects against eavesdropping and tampering of the communication. In practice, this provides a reasonable assurance that one is communicating without interference by attackers with the website that one intended to communicate with, as opposed to an impostor.

Transport Layer Security (TLS) and the now deprecated Secure Sockets Layer (SSL) are cryptographic protocols that secure communication between a web server and web browsers.

An HTTPS server that uses TLS or SSL protocols can work with certificates from these origins:

Self-signed certificates are easy to make and cost nothing. The problem with them is that browsers don't consider them safe and usually terminate the connection unless the user has disabled certificate checking.

A Certificate Authority charges money for issuing a TLS/SSL certificate. There are many companies that sell certificates but just a few are generally trusted.

Self-signed Certificate Generation

You can use the keytool program included in /bin folder of MVDServer distributions to create a self-signed certificate.

Download the right distribution of MVDServer from MVDServer Home Page and decompress it. Alternatively, download and install a JDK (Java Development Kit) from https://adoptopenjdk.net and adjust the path to the /bin directory.

From the directory where you decompressed MVDServer, execute the following command:

bin/keytool -genkey -keyalg RSA -alias selfSigned -keystore myKeystore.jks -storepass myPassword -validity 360 -keysize 2048

The command above creates a Java certificate store (a keystore) named myKeystore.jks, protected by password myPassword.

keytool will ask you several questions. When it asks your first name and last name, enter the domain name of the server where the certificate is being created and used. For example:

bin/keytool -genkey -keyalg RSA -alias selfSigned -keystore myKeystore.jks -storepass myPassword -validity 360 -keysize 2048
What is your first and last name?
    [Unknown]:  www.mvdsoftware.com
What is the name of your organizational unit?
    [Unknown]:  Headquartes        
What is the name of your organization?
    [Unknown]:  MVDSoftware
What is the name of your City or Locality?
    [Unknown]:  Montevideo
What is the name of your State or Province?
    [Unknown]:  Montevideo
What is the two-letter country code for this unit?
    [Unknown]:  UY
Is CN=www.mvdsoftware.com, OU=Headquartes, O=MVDSoftware, L=Montevideo, ST=Montevideo, C=UY correct?
    [no]:  yes

Once all questions are answered, a self-signed certificate valid for 360 days is added to the keystore under the selfSignedalias.

Execute the following command when you need to retrieve the certificate from the keystore and use it independently:

bin/keytool -export -alias selfSigned -keystore myKeystore.jks -rfc -file myCertificate.cer

When keytool asks for the keystore password, enter myPassword.

The exported certificate saved in myCertificate.cer will look like this:

-----BEGIN CERTIFICATE-----
MIIDozCCAougAwIBAgIEWJIgwjANBgkqhkiG9w0BAQsFADCBgTELMAkGA1UEBhMC
VVkxEzARBgNVBAgTCk1vbnRldmlkZW8xEzARBgNVBAcTCk1vbnRldmlkZW8xFDAS
BgNVBAoTC01WRFNvZnR3YXJlMRQwEgYDVQQLEwtIZWFkcXVhcnRlczEcMBoGA1UE
AxMTd3d3Lm12ZHNvZnR3YXJlLmNvbTAeFw0xOTExMjExOTI4NTBaFw0yMDExMTUx
OTDeNTBaMIGBMQswCQYDVQQGEwJVWTETMBEGA1UECBMKTW9udGV2aWRlbzETMBEG
A1UEBxMKTW9udGV2aWRlbzEUMBIGA1UEChMLTVZEU29mdHdhcmUxFDASBgNVBAsT
C0hlYWRxdWFydGVzMRwwGgYDVQQDExN3d3cubXZkc29mdHdhcmUuY29tMIIBIjAN
BgkqhkiG9w0BAQEFEEOCAQ8AMIIBCgKCAQEAq1CCBvuScBLeGmIhdP9gx1YB+npO
LI67n+ZNVaMX6LjxFynsyvhlzTvROju6GkNdotzoovzrPuiksqO2trkKtiIA6z3D
pSWIiX0kOXB4nC52iwIRBasxNef+4d2RayO0k0IiPcSFYNDuNSOXhL74d9HCgygN
fPBix62lsOs14k9g4k83spXnw9mnLwQ8uU4TmUkU7F4tnKLsUcf8KR47sJUWCXsa
iIphJbJM9PuaPvCsAoBDTVfeBWvQ55ILxNU6zCJPABCBvuH/EpKZ1pPvIO5Shxuj
jTHRz38EgDOwvAuqP8I5pCcF9hAHfkGprA4VZQVFiF6WXjCOUbY7ctDIFQIDAQAB
oyEwHzAdBgNVHQ4EFgQU3V7Iwnm4MZNET/qQ3yaeytRCIHIwDQYJKoZIhvcNAQEL
BQADggEBAGTdIglwYcci0lEg7pBoO7EnenI8H0sicviVNm1PtoAA9mGiQr4TEzXi
M3zl+7jqcKWZZlRl6pLdh6d3wFjeKn1eqlf3sTbo7NLXHnboiTDAVsoq3C8r8ORW
lfDvXN7N9VG7Ga8fN2Z8rv2O4ZBtFR7F6bYZ2zsK556oY9Fy2B0RgGrB6alVZWzr
viyE1C8vhQ1yrHsYsOG321DMD0OeK5X/qqH6nEhCFwJYnIB8Z/lzSIgb8wvWbKC1
Fq7B2zjUv8/2XEtZVCuEP7MZWm0yPoHjs4vjQKdJytY3Bnsu9NCDzPVusXcaKHkP
oty26g85pd4sbaB76h1sdRyGu6hdnZs=
-----END CERTIFICATE-----

CA Signed Certificate Request

The procedure for obtaining a certificate from a Certificate Authority is similar to the method for generating a self-signed certificate explained above.

Download and decompress an MVDServer distribution from MVDServer Home Page or install a JDK to obtain the keytool program.

Using keytool from MVDServer or a JDK, start by creating a keystore with this command:

bin/keytool -genkey -alias myServer -keyalg RSA -keysize 2048 -keystore myKeystore.jks -storepass myPassword

keytool will make the same questions displayed in self-signed certificate generation section.

Remember that when keytool asks or first name and last name, you must enter the name of the server where the certificate is being requested.

Next, generate a certificate request with this command:

bin/keytool -certreq -alias myServer -keyalg RSA -file myRequest.csr -keystore myKeystore.jks -storepass myPassword

The certificate request generated and saved in myRequest.csr looks like this:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIC+DCCAeACAQAwgYIxCzAJBgNVBAYTAlVZMRMwEQYDVQQIEwpNb250ZXZpZGVv
MRMwEQYDVQQHEwpNb250ZXZpZGVvMRQwEgYDVQQKEwtNVkRTb2Z0d2FyZTEVMBMG
A1UECxMMSGVhZHF1YXJ0ZXJzMRwwGgYDVQQDExN3d3cubXZkc29mdHdhcmUuY29t
MIIBIjANBgkqhkiG9w0BAQEFABOCAQ8AMIIBCgKCAQEAhs7mhi1KyvP4WxIAeRcl
zflqCeVcB3rQO9XdH2B0ny6E3UAbNBGizzdp2m/TMSxTpJ0Sw/2HM0wdU5+GA8as
iJhokfPofCcTgl4Fqc86mUWY/midaPcTMuPMhteo/pnPz0Rz/ty7xmaLO+TGtLA9
SZD+12+jyJtTbn4xvn1xkOpXH3SL7HJsfJ+3IVCAUABnrHaTEjgAI3JezmciPPu2
aDP55XyURbA3LuSTgriJ9SFwxi1S/rFPfncZ3G6TExUowCnPhFItw2ZHoEWEz5hd
0SKXrXpDjTToHyQwJVNvS+addcXgqAXgNARF01rL7rNwJdY9rkcYc6feQmTI8TIU
6QIDAQABoDAwLgYJKoZIhvcNAQkOMSEwHzAdBgNVHQ4EFgQU2DcZ7jJ9yB/lqbC4
/MQOTbBGai8wDQYJKoZIhvcNAQELBQADggEBAEh7u0pHIgmTYWzqBs7wbMpDqTJL
nJq1CsMLtqByuIJk7Hll1rfFtkubHAS0nGQvqP+WEYK5DWt0FqxdEkgL+00K4vjw
LGAIRVZrHoGTjL/L/6pPFSPv/ciKegpPOzANDui0Ga/pftwmO5pwk5r/1nh9lLsR
Faf9JvIzFC/4O6gMM5ZskN9fEsEMhfUtTG3KXYc0r2uS44XYVNAQlB1CIt119+9v
8WOqSnwjQI6JCyQv4uIVbjDSXYUZkyF5mZm4Yyxm2FNlppnqmTG/5zDiNIWdEdrB
AnffaFqHGxFprP3GjGbIR1EcIi6mEs2KWRFgAUTFp/oTbKPgwl3a2lqq3p4=
-----END NEW CERTIFICATE REQUEST-----

Send the file containing the certificate request (myRequest.csr) to the Certificate Authority that will sell you the signed certificate.

You will receive one or more certificates from your CA. If you get more than one file, it means that you have to import intermediate certificates into your keystore.

Use a command like this to import any intermediate certificate:

bin/keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore myKeystore.jks -storepass myPassword

Adjust as needed the alias and file parameter for each intermediate certificate. It is usually safe to use the name of the intermediate certificate file as alias.

Finally, import your own certificate into the keystore with this command:

bin/keytool -import -trustcacerts -alias myServer -file myCertificate.crt -keystore myKeystore.jks -storepass myPassword

Notice that the import alias myServer must match the alias used when generating the certificate request.

If you are using MVDServer to host your web site, adjust the JSON configuration file with the location of your keystore and its password.