Is the way for us to change our system to HTTPS only with an active certificate, as well as only using FQDN?
Jeroen Geldhof [SLC] [DevOps Enabler] Selected answer as best 21st August 2020
A FQDN and a trusted active certificate are indeed required to use https. What certificate you can use depends if your system is publicly accessible on the internet or not:
- If publicly accessible, for example https://dataminer.company.com/, you can get a certificate at a certificate authority which you can import and use in IIS. To make use of Let's Encrypt, see this blog post.
- If access is limited to a private network (intranet), for example https://dataminer.company.local/, you can generate your own certificate(s) which you can sign with a self-generated root certificate that has to be installed on every machine (servers and clients). In Skyline we created our own "*.skyline.local" certificate that is signed by our Skyline Root certificate. See this post on how to generate your own certificate using OpenSSL, basically it comes down to this:
- Generate new private key:
openssl genrsa -out device.key 2048 - Create a new certificate:
openssl req -new -key device.key -out device.csr -config yourcert.cnf - Sign the new certificate with the root certificate:
openssl ca -config RootCA.cnf -out device.crt -extfile yourcert.extensions.cnf -in device.csr -days 500 - Create Windows server pfx package:
- copy /b RootCA.pem+device.crt bundle.crt
- openssl pkcs12 -export -out yourcert.pfx -in bundle.crt -inkey device.key -name "My Self-Signed SSL Certificate"
- Import the pfx package in IIS
- Generate new private key:
- Follow the instructions of the DataMiner help.
Jeroen Geldhof [SLC] [DevOps Enabler] Selected answer as best 21st August 2020