SSL Reference

Information on correctly configuring SSL for Execute

Execute requires the Execute service be configured with a valid SSL certificate. This document provides a detailed walk-through for our recommended process. This is, of course, not the only way Execute can be configured if your needs differ but this should work for most.

For the purposes of this document we walk through configuring Execute for a fictitious Oil & Gas Company, "Microeggbert Oil".

Our fictitious company owns the domain "microeggbertoil.com".

Hostname

All users of Execute (internal to your network, and remote) must access Execute through a common name / URL. For this reason, it’s usually best to setup the service as a host under your existing public domain name, rather than relying on an internal hostname.

In this example we will configure our environment to use afenav.microeggbertoil.com.

In most cases we recommend installing your TEST and PROD environments on a single application server so that you can share an SSL certificate between the two environments.

On our internal DNS servers we configure afenav.microeggbertoil.com to resolve to our application server’s IP address. On our public facing DNS servers we configure afenav.microeggbertoil.com to resolve to our firewall’s IP address (we would also need a port forwarding rule on the firewall to allow this traffic through to the application server).

The end result is that you should be able to ping afenav.microeggbertoil.com internally and see it resolve to the application server’s IP address.

Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.

C:\> ping afenav.microeggbertoil.com

Pinging afenav.microeggbertoil.com [192.168.210.108] with 32 bytes of data:
Reply from 192.168.210.108: bytes=32 time<1ms TTL=128
Reply from 192.168.210.108: bytes=32 time<1ms TTL=128
Reply from 192.168.210.108: bytes=32 time<1ms TTL=128
Reply from 192.168.210.108: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.210.108:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Installation

The Installation and Upgrade Guide covers the steps to install Execute.

During the installation make sure to enter your full hostname when prompted for the server name.

Click image to expand or minimize. 

Verifying Connectivity

After installation you should be able to connect to the Execute service with your web browser to verify connectivity (make sure Windows Firewall is allowing inbound traffic).

In the Installation and Upgrade Guide we recommend installing your production instance on port 443 (the default HTTPS port) so the production URL should look like:

https://afenav.microeggbertoil.com

When you open this in your web browser you will see errors, like the following, that indicate the certificate is not trusted. This is because Execute, upon installation, is using a self-signed certificate.

Click image to expand or minimize. 

Upon installation Execute generates a temporary self-signed certificate that is suitable for testing but not for production use.

We now need to generate and install a real certificate.

Generating a Certificate Request

When PROD and TEST environments share a single server they can share a single certificate. Perform the Generation and Installation steps on one environment and, once complete and working in that environment, run the ssltool.exe in the other environment and select “Connect Existing Certificate to Execute” and choose your newly issued certificate.

In order to obtain an SSL Certificate we must generate a private key and a certificate signing request (CSR). The CSR then must be submitted to a Certificate Authority to be signed and turned into a valid certificate. The private key is generated on, and stays on, our application server.

Execute’s ssltool.exe (found in the service’s installation folder) will generate the private key and CSR.

Select the “Request Certificate From Certificate Authority” button.

Click image to expand or minimize. 

When generating the CSR, we must provide the hostname (Common Name or CN) for the server you are requesting the certificate for.

The CN must match the name of the Execute service (in our case here, afenav.microeggbertoil.com).

Click image to expand or minimize. 

The certificate request will be presented in Base64 encoded PKCS#10 format.

This text will need to be copied and pasted into a form when requesting a certificate from a certificate authority.

Click image to expand or minimize. 

Buying a Certificate

There are lots of vendors (Certificate Authorities) who sell SSL certificates. For this demo we used GoDaddy to issue our certificate.

We only need a single server DV (Domain Validation) certificate for our purposes.

For certificate authorities other than GoDaddy, the steps will vary but the overall process should be the similar.

With GoDaddy we buy the certificate first and upload the CSR once we have paid.

Click image to expand or minimize. 

Once we have paid for our certificate we are able to request that the certificate be created.

Click image to expand or minimize. 

We are asked to paste in the contents of the CSR (copied from a previous step).

Click image to expand or minimize. 

The Certificate Authority will require us to prove that we have administrative rights to the domain. This will usually require us to take an action like:

  • Responding to an email send to the domain’s administrative contacts
  • Adding a TXT record with a specific code to our domain’s DNS

Click image to expand or minimize. 

Once the certificate authority has verified that we control our domain they will issue the certificate.

Click image to expand or minimize. 

We need the certificate, and the intermediate certificates, in PEM format. Choose to download the newly generated certificate. On GoDaddy we can select “Other” when downloading the certificate to retrieve them in the PEM format.

Click image to expand or minimize. 

In this case “3cb6c847e0c9497f.crt” is our newly issued certificate and “gd_bundle-g2-g1.crt” is a bundle of intermediate certificates.

These are now ready to be installed.

Installing the Certificate

Once the certificate has been downloaded we can load it into the Windows Certificate Store, and associate it with our Execute Service, using the Execute ssltool.

Select “Install Certificate from Certificate Authority”.

Click image to expand or minimize. 

We open the certificate file in notepad (in this example, “3cb6c847e0c9497f.crt”) and copy and paste the content into the ssltool and select “Continue.”

Click image to expand or minimize. 

We see messages like the following upon a successful installation.

Click image to expand or minimize. 

If the CA provided us with intermediate certificates (most do) we need to install those using the “Install Intermediate Certificate” button in the ssltool.

Click image to expand or minimize. 

We open the intermediate certificate bundle (in this example, “gd_bundle-g2-g1.crt”) and copy and paste that into the ssltool and select “Continue.”

Click image to expand or minimize. 

The following message that confirms the intermediate certificate(s) were installed successfully.

Click image to expand or minimize. 

Verifying Installation of a Certificate

Once the certificate has been installed successfully we are able to visit our service without receiving any SSL errors or warnings.

Click image to expand or minimize. 

Backing up Your Certificate/Private Key

When you generate an SSL certificate using the above process it is important to backup the certificate and private key. The private key is generated on your application server and is not part of the package issued by the certificate authority. Your certificate is useless without the private key.
  1. Run the Microsoft Management Console (Start > Run > “mmc”)
  2. Install the Certificate Snap-in (File > Add/Remove Snap-in… )
  3. Select “Certificates” and “Add > “
  4. Choose “Computer Account”
  5. Click Ok.
  6. In the tree select (Console Root > Certificates (Local Computer) > Personal > Certificates)

    7. Click image to expand or minimize.

  7. Right click your certificate and select (All Tasks > Export)

    8. Click image to expand or minimize.

  8. Make sure you choose “Yes” to export your private key.

    9. Click image to expand or minimize.

  9. Export in PKCS #12 format (do not click the “Delete the private key if the export is successful” checkbox)

    10. Click image to expand or minimize.

  10. Click the “Password” box and enter a password. This is used to protect the private key. You will need this password again if you ever need to restore this certificate or load it into another machine.

    11. Click image to expand or minimize.

  11. Select a location for the certificate and then, once exported, ensure it is stored somewhere safe!

    12. Click image to expand or minimize.