NetTalk Central
NetTalk Web Server => Web Server - Ask For Help => Topic started by: ianburgess on June 26, 2012, 04:59:23 AM
-
I am looking to be able to have several Nettalk webserver apps hosted on a 3rd party virtual server. Also, I need to have a SSL certificate so that users can access using SSL without any security messages. Can anyone make any suggestions re companies that they have used and whether it is possible to use a "shared" SSL certificate or one must go down the road of applying for a certificate for each domain name used?
Is it just a matter of applying and getting a SSL certificate and dropping the files into the relevant subfolder? Does the host provider need to get involved/understand that I will be doing this? Where is the cheapest/best place to get SSL certificate?
Please excuse the perhaps silly questions - I am very new to web apps etc!
-
Hi,
You can get an SSL certificate for unlimited subdomains (eg. *.mydomain.com). If you cannot use sub domains you can buy certificate packages that allow say 5 domains for a given fee). I have one from godaddy for subdomains and its $US200 a year, and it wasn't a drama. I chose a "standard SSL" certificate because we dont do ecommernce on those domains. Within a few hours i was send an email with detail on how to log into their system to manage my certificates.
I then just renamed and placed the certificate files (supplied by their online system) in the right folder plus added the necessary DLLs for nettalk to support SSL.
Regards
Bill
-
Hallo Ian,
I use SSL certificate from GlobeSSL. I use the standard one and it works good. Depends on your needs but this one is very cheap.
https://www.globessl.com/Globe-Standard-SSL.html
Good luck!
Robert
-
Thanks. The Globe SSL sounds extremely good value. Am I right in saying that you get a couple of files from them that you just save in the nettalk certificates folder in place of the self certified ones that ship in nettalk? ... So it makes no difference who hosts the virtual server that is running my nettalk webserver app?
Thanks
Ian
-
>> So it makes no difference who hosts the virtual server that is running my nettalk webserver app?
correct.
>> Am I right in saying that you get a couple of files from them that you just save in the nettalk certificates folder in
place of the self certified ones that ship in nettalk?
yes. although you may have to use OpenSSL (see docs) to convert it to the right format.
cheers
Bruce
-
Thanks for the replies.
Just to clarify my intentions....
I want to be able to access the secure website using the IP address (I am hosting the site) and not a domain. eg. https://xx.xx.xxx.xxx
The question is whether it is possible to have a SSL certificate that would allow this scenario?
Presumably it must be the IP address that is referred to in the SSL certificate somehow?
-
>> Presumably it must be the IP address that is referred to in the SSL certificate somehow?
Yes, you specify the the IP address in the CN (common name) field of the CSR (Certificate Signing Request) when you order the SSL cert.
-
Thanks. GlobeSSL was recommended as a cheap provider of certificates but when I asked them if I could get one for an IP address they said it was not possible. Can anyone recommend a cheap certificate provider that will issue a certificate for an ip address ad opposed to a domain?
.... Or is this actually possible with GlobeSSL abs they have given me wrong advice?
Basically I want to host the site on my own pc and an not concerned about a domain but need to get rid of security warnings that people get when using self signed certificate.
-
>> Presumably it must be the IP address that is referred to in the SSL certificate somehow?
Yes, you specify the the IP address in the CN (common name) field of the CSR (Certificate Signing Request) when you order the SSL cert.
If specifying the ip address as the CN, is it just the numerical portion ie. xx. xx.xxx.xxx or does one include the https:// ?
Also, can anyone suggest a certificate provider that will issue certificate for an ip address?
-
Ian,
stop messing around. Get a domain. It's really cheap. Really easy to administer. And will save you piles of money and effort in the long run.
Cheers
Bruce
-
Ian,
stop messing around. Get a domain. It's really cheap. Really easy to administer. And will save you piles of money and effort in the long run.
Cheers
Bruce
OK that's not a problem getting a domain (I already have several spare ones), but I wanted to host the Nettalk webserver app myself - wasn't sure that was possible?
Or maybe I should just go for a hosted virtual server with a domain?
-
Ok I have just experimented and repointed the IP address of a spare subdomain at my own ip address so that now seems to work - the subdomain correctly going to the nettalk webserver on my pc. Now presumably all I need is a SSL certificate for the subdomain?
-
yes.
as you have determined, pointing a sub domain at any IP address is possible - so you can definitely host it yourself if you have a fixed IP address. If you have a dynamic IP address then it gets more complicated, but I'm sure yours is fixed.
cheers
Bruce
-
OK fantastic - I got there in the end!
It is all a learning experience at the moment - trouble is that what is obvious to those experienced in web apps/hosting etc. is not to those of us that are new to this.
Many thanks for everyone's help.
Ian
-
Whilst I thought I was there, I actually have hit another snag re the actual certificate.
My starting point is that I can access the nettalk webserver app via my URL using https://sub.mydomain.com, with the webserver using port 443 and SSL and using the supplied self certified certificate.
I then used the CreateCertificateSigningRequest.bat batch file to generate a request and pasted the text of that request into an online SSL company's form (I am trying RapidSSL free 90 day trial cert).
After verifying info and accepting email address link, I received an email with text of a "Web Server Certificate" and an "Intermediate CA".
I copied ForRealCSR.crt that had been generated into \web\certificates folder and renamed it Settings.crt, overwriting the old one.
Now I am faced with the Settings.key file which contains -----BEGIN RSA PRIVATE KEY----- ......
How do I generate the RSA private key text from where I am now?
Any guidance much appreciated!!
-
you should have got the private key in;
>> I received an email with text of a "Web Server Certificate" and an "Intermediate CA".
what extension did the "web server certificate" have?
you may need to merge the Intermediate CA in with your certificate - ie add the text of the intermediate _after_ the text in your CRT file.
cheers
Bruce
-
Hallo Ian,
I use SSL certificate from GlobeSSL. I use the standard one and it works good. Depends on your needs but this one is very cheap.
https://www.globessl.com/Globe-Standard-SSL.html
Good luck!
Robert
Hi Robert
I started to look into GlobeSSL and they look very reasonable. To start with I found a free trial from another provider and signed up just to test things out, but cannot see how to generate the .crt and .key files from what these other people sent me!
From your experience with GlobeSSL, do you just paste the result of the “CreateCertificateSigningRequest” batch file into their website and they just sent you the .crt and .key files? If not, how do you create these two files?
Many thanks
Ian
-
The CreateCertificateSingingRequest batch file creates the private key because you need it to create the CSR. The batch file does this: openssl genrsa -out .\YourCARoot\private\ForReal.key -rand .\YourCARoot\private\YourRandom.rnd -des3 2048
-
Many thanks to Bruce and others that have guided me through the process. I have learned a lot and thought I would document my experience......
Introduction:
As standard, Nettalk provide a “self certified” SSL certificate which is fine for testing purposes, but any user accessing the site will get warnings from their browser to the effect that the site is not trusted – this is obviously unacceptable for end users.
The certificate comprises two files:
xxxxx.crt
and xxxxx.key
By default xxxxx is “Settings”, so we have Settings.crt and Settings.key
The solution to avoid these warnings is to get an official SSL certificate from one of a number of suppliers. The cost of these varies enormously from about $8 per year to several hundred dollars per year. I have successfully purchased a 1 year certificate for a single domain (actually a sub domain) for $8.90 from www.globessl.com
The following steps were needed to create the certificate files:
1. Go to C:\Clarionx\3rdparty\bin\MakeCertificates folder
2. Run batch file CreateCertificateSigningRequest.bat which will ask for various information about the domain (or sub domain) and its owners etc. See "Create Certificate Signing Request" at http://www.capesoft.com/docs/nettalk/NetTalkWebSecure.htm#Getting_a_Paid-For_certificate
3. The process in 2. above will generate two files:
a) C:\Clarionx\3rdparty\bin\MakeCertificates\YourCARoot\certs\ForRealCSR.crt
This contains the text of the Cert. Signing Request which you will need to copy in its entirety into clipboard ready to paste into the SSL provider's website when asked. NB. You can test the copied code by pasting into https://www.networking4all.com/en/support/tools/csr+check/
b) C:\Clarionx\3rdparty\bin\MakeCertificates\YourCARoot\private\ForReal.key
This is a private key file which you should copy to the \Web\Certificates folder of your webserver and rename as appropriate, eg. Settings.key
4. After you have registered and paid and clicked on verification email etc. from GlobeSSL, they will email you a .crt file which will be named as "your domain.crt". You need to copy this to the \Web\Certificates folder of your webserver and rename as appropriate, eg. Settings.crt
5. Ensure that your domain or subdomain is pointing to the correct folder that the nettalk webserver is installed in and that the webserver app is running and set to port 443 and SSL is enabled. It should then just work and the browser will not issue any warnings and will verify that there is a valid certificate!
It has been a bit of a learning experience for me, but if you follow the above steps, you should be able to do everything in a very little time.
Some things I have learned along the way.....
- SSL certificates can only generally be issued to domain names or sub-domains and not to an IP address
- Shop around for SSL providers as the costs vary enormously
- A SSL certificate can be set up and working in minutes
- The SSL provider can be completely independant of the domain name registrar and independant also of the host of the webserver
- You can easily "point" a domain or sub-domain at any IP address by simply editing the "A" record's IP address by logging into the domain name registrar's website. I have just pointed the "A" record at the IP address of my own office and set Port redirection of Port 443 on my router to point at the internal IP address of the PC running the webserver app. The effect of this repointing could take a number of hours to become live.
Cheers
Ian
-
Hallo Ian,
I see you like the hard way! ;)
Did you follow the instructions received by email from GlobeSSL ?
Also you can find this tools on their web site. With the crt received by email you can create the key. Then rename both and copy to your certificates folder. no more then 5min :)
https://confirm.globessl.com/autocsr.html
https://confirm.globessl.com/csr-decoder.html
https://confirm.globessl.com/key-matcher.html
I received by email the CRT and Bundle. And with the tools above I generate the key. Then rename the crt and key ( www_MyDomain_com.crt AND www_MyDomain_com.key ) copy to nettalk folder and it’s done. 5 min :o)
Good luck!
Robert