SSL stands for Secure Socket Layer, a protocol developed by Netsacpe for secure transactions across the Web. SSL uses a form of public key encryption, where the information can be encoded by the browser using a publicly available public key, but can only be decoded by someone who knows the corresponding private key.

Certificates
A server certificate is a digitally-encrypted message that informs the browser what organisation it is accessing. To prevent people from making up certificates and pretending to be official organizations, certificates can be obtained from a certificate authority, who act as a third-party to verify that the organisation using the certificate is who they say they are. Probably the best know authority is Verisign in the US. GeoTrust has also been confirmed to work with the Sambar Server (special thanks to James Wright and Ken Stoddart for verifying this); you'll likely find GeoTrust's customer service and pricing more appealing than Verisign's. Important: Equifax certificates are not supported by the Sambar Server. Several customers have reported problems in the certificate chaining code which prevents the Equifax certificate from being recognized authority with the default OpenSSL distribution. This may now be resolved as Equifax has established their own RootCA since they were last tested.

Configuration
The Sambar Server can run a Secure Socket Layer (SSL) Server Daemon. This implementation uses DLLs from the OpenSSL library. OpenSSL is a free implementations of the Secure Socket Layer protocol written by Eric Young.

The SSL/TLS DLLs are shipped with the Sambar Server. In order to run in secure mode, the appropriate Sambar Server configuration parameters must be set and the OpenSSL DLLs ssleay32.dll and libeay32.dll must be found in the bin directory where the Sambar Server is installed. If these DLLs are not present, the server will fail to startup if HTTPS is enabled. A web-based GUI for creating and installing certifications is available using the SSL link off the System Administration console.

What follows are the manual steps necessary for creating and installing an SSL certificate (for self-signed certificates, the GUI configuration in the System Administration console can be used in place of this manual process.)

The first step of running the Sambar SSL Server is to generate a Private Key. For that, feed a file of random text (randfile) to the key generation routine provided with the SSLeay libary. To generate a key, type:

openssl genrsa -rand randfile -out key.pem 1024

This command sequence will generate a 1024-bit RSA private key and store it in the file key.pem. This key file should be copied to the config directory of the Sambar Server. The key should look like:

-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm
q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko
nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw
ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg==
-----END RSA PRIVATE KEY-----

Obtaining a certificate (Digital ID)

Next you must generate a Certificate Signing Request (CSR). The CSR is what contains the name information for the certificate (Country, State/Province, City, Organization, Division, Web Server Domain Name, etc). It also contains your public key.

The formats of certificate and CSR used by the Sambar Server are the same as those used by Apache-SSL (both servers use SSLeay for their SSL implementations). CSR should be sent for verification to Certificate Authority (CA) e.g. Verisign (www.verisign.com) or Thawte (www.thawte.com).

To generate your CSR, run:

openssl req -new -key key.pem -out req.pem -config ..\config\openssl.cnf

This command sequence will prompt you for the attributes of your certificate. Remember to give the secure server domain name when you would be prompted for "Common Name".

The request should look like:

-----BEGIN CERTIFICATE REQUEST-----
MIIBGzCBxgIBADBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEa
MBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0
2NNtXrT8odkCAwEAATANBgkqhkiG9w0BAQQFAANBAC5JBTeji7RosqMaUIDzIW13
oO6+kPhx9fXSpMFHIsY3aH92Milkov/2A4SuZTcnv/P6+8klmS0EaiUKcRzak4E=
-----END CERTIFICATE REQUEST-----

You will now have a private key file (key.pem) and a CSR file (req.pem). Finally, send the req.pem file to the Certificate Authority (i.e. Verisign or Thawte).

Upon reception of a signed certificate from CA, name the certification cert.pem and place it in the config directory along with the key.pem file.

The certificate should look like:

-----BEGIN CERTIFICATE-----                                     
MIICLjCCAZcCAQEwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
dp7jnmWZwKZ9cXsNUS2o4OL07qOk2HOywC0YsNZQsOBu1CBTYYkIefDiKFL1zQHh
8lwwNd4NP+OE3NzUNkCfh4DnFfg9WHkXUlD5UpxNRJ4gJA==                
-----END CERTIFICATE-----                                       

You can also generate a temporary (untrusted) test certificate by running:

openssl req -new -key key.pem -out cert.pem -x509 -config ..\config\openssl.cnf

You can get a 21 day temporary untrusted certificate from Thawte at Thawte.com. For internal corporate use, you might want to get a free trial certificate server from Verisign (choose Apache-SSL) or from Thawte (chose Generate an X.509v3 certificate & Use the most basic format).

The certificate file received from VeriSign or Thawte must be placed in the config directory and either named cert.pem or the Certificate File parameter in the config.ini file must be modified to the name of the file containing the certificate. Similarly, the private key file must be named key.pem or the Private Key File parameter in the config.ini file must be modified. Finally, the CA Certificate File parameter in the config.ini file should be configured to be ca-bundle.crt (included in the default installation).

Starting the HTTPS Server
The HTTPS server does not start by default, it must be enabled via the config.ini file entry Act As HTTPS Server = true. By default, the HTTPS server runs on port 443; this too can be changed via the config.ini entry HTTPS Port = 443.

SSL and Virtual Hosts
Presently, only a single private key and certificate file can be configured for the Sambar Server. To get the Sambar Server to support multiple SSL certs, for servers that host more than one domain, SSL (x509 version 3, specifically), has built-in support for multiple domains per certifcate! Just add the following line to your config/openssl.cnf file, in the [ v3_ca ] section:

subjectAltName = DNS:http://www.test.com,DNS:*.kensystem.com,DNS:*.etc.com

This line adds additional domains that browsers will validate a certificate against. Note the comma-separated-list format; it allows you to add as many or as few as you want. As in the example, you can also use wild card certs.

You will need to re-create any existing certificates after adding that line to openssl.cnf, put the cert into your config directory, and then restart your server.

Certificate Chain Files
The certificate chains used by the server for authentication can be specified using the CA Certificate File. This file must be a PEM file. The ca-bundle.crt can be added to and then converted to a PEM file using the command:

openssl x509 -inform DES -in ca-bundle.crt -out ca-bundle.pem -text

Then add ca-bundle.pem to the CA Certificate File configuration parameter.

Intermediate Certificate Signers
When using intermediate certificate signers like GoDaddy, two changes must be made to the SSL configuration using the System Administration SSL configuration pages. The first is that the SSL Verify Depth must be set to at least the size of the SSL chain (typically 3 rather than the default 1). In addition, the SSL Export Cert Data configuration parameter should be set to Yes rather than the default No so that the certificate chain details will be exported property to inquiring clients.