Security

Table of Contents

• Server Certificate
• Creating a Self-Signed Certificate
• Certificate File Structure

The Xentara Web Service only supports encrypted communication using HTTPs. Plain-text HTTP is not supported for security reasons.

Server Certificate

In order to be able to accept secure connections, the Web Service needs to have access to a valid SSL cerificate for the host it is running on. You can either get a certificate from a trusted certificate authority (CA), or you can use a self-signed certificate. If you use a certificate from a trusted certificate authority, clients will generally recognize the certificate as trusted without any special configuration. If you use a self-signed certificate, the certificate must usually be added to the list of trusted certificates in the client.

If your company has its own CA, you can also use certificates issued by that CA, of course.

Creating a Self-Signed Certificate

See also

OpenSSL

Self-signed certificates are certificates you generate yourself. Such certificates are generally not trusted by clients, because anyone, even an attacker, can generate self-signed certificates. For a self-signed certificate to be trusted by a client, the certiificate must usually be installed in the client’s certificate store.

You can generate a self-signed certificate using OpenSSL. To generate a certificate, use the following OpenSSL command:

openssl req -nodes -x509 -newkey rsa:4096 -keyout certificate.pem -out certificate.pem -sha256 -days 36500

This will generate a certificate file named certificate.pem in the current directory. The file will contain both the certificate and the private key, as is required by the Xentara Web Service.

The option -days 36500 makes the certificate valid for 36500 days, or approximately 100 years. If you use a shorter expiry time (365 days is a common choice), please remember that the certificate must then be replaced at regular intervals on both the server and the client.

Certificate File Structure

The server certificate must be a PEM file containing both the certificate and the private key. PEM files are text files. A typical certificate file has the following structure:

-----BEGIN PRIVATE KEY-----
VGhpcyBpcyBub3QgYSByZWFsIHByaXZhdGUga2V5LiBJdCBpcyBBSSBnZW5lcmF0
ZWQgbm9uc2Vuc2UuIFRoZSBwZXJzb24gd2l0aCB0aGUgcHVibGljIGtleSBpbiB0
aGF0IGNhc2UgaXMgb25seSBkb2luZyB0aGUgc2FtZSB0aGluZyBhcyBldmVyeW9u
ZSBlbHNlIHdobyBoYXMgcHJpdmF0ZSBrZXkuIFRoZXkgYXJlIGRvaW5nIG1vcmUg
dGhhbiBqdXN0IHJ1bm5pbmcgdGhlIHJhbmRvbSBkYXRhIGdlbmVyYXRlZCBmcm9t
IHJhbmRvbSBkYXRhLg==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
VGhpcyBpcyBub3QgYSByZWFsIGNlcnRpZmljYXRlLiBJdCBpcyBBSSBnZW5lcmF0
ZWQgbm9uc2Vuc2UuIFRoaXMgdHlwZSBpcyBhIHByb2dyYW1taW5nIGxhbmd1YWdl
LiBJdCBpcyBhIHByb2dyYW1taW5nIHRvb2wgYW5kL29yIGhhcmR3YXJlLiBJdCBp
cyBhIHByb2dyYW1taW5nIGxhbmd1YWdlLiBJdCBpcyBsaWtlIHRoZSB3b3JkIG9m
IHRoZSBiaWJsZTogInByb2dyYW1taW5nIGxhbmd1YWdlcyBhcmUgZGVzaWduZWQg
dG8gd29yayB3ZWxsIHdpdGggdGhlIGh1bWFuIHNlbnNlcyBvZiBoZWFyaW5nIGFu
ZCBzaWdodCB3aXRoIGFuZCB3aXRob3V0IHRoZSBhc3Npc3RhbmNlIG9mIGV4dGVy
bmFsIGRldmljZXMsIGluc3RydW1lbnRzIG9mIGluZm9ybWF0aW9uIHByb2Nlc3Np
bmcsIG9yIG90aGVyIHBoeXNpY2FsIG1lYW5zIi4=
-----END CERTIFICATE-----

Warning

Do not share the block enclosed in -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- with anyone. This block contains the private signing key, and anyone who knows that key can spoof the certificate. To install the sertificate as a trusted certificate on a client, copy out only the block enclosed in -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.