Configuring SSL in SimpleHelp
SimpleHelp automatically secures your data by encrypting all communications when using any SimpleHelp application. There is no additional need to configure SimpleHelp in order to secure data sent between a technician and the server, or a technician and a remote machine. However, you may wish to configure SimpleHelp to use a SSL certificate. This guide explains the steps you can take to do this.
Many commands in this guide use the keytool application that is distributed with your SimpleHelp server in the under the jre/bin folder.
Two different approaches to configure SSL are covered in this guide. The first details how you might use SimpleHelp's Let's Encrypt built in functionality to configure a free SSL certificate on your server. The second approach details how you might use an existing SSL certificate with your SimpleHelp server.
Many commands in this guide use the keytool application that is distributed with your SimpleHelp server in the under the jre/bin folder.
Two different approaches to configure SSL are covered in this guide. The first details how you might use SimpleHelp's Let's Encrypt built in functionality to configure a free SSL certificate on your server. The second approach details how you might use an existing SSL certificate with your SimpleHelp server.
Let's Encrypt SSL Certificates
Let's Encrypt SSL Certificates are free short duration SSL certificates. SimpleHelp is able to request, download and install these certificates with minimal configuration required.
NOTE: It is only possible to configure a Let's Encrypt Certificate on servers that are publicly accessible on port 80.
The section CONFIGURING HTTPS / SSL ACCESS in the SimpleHelp Administrator Guide contains additional information on how to configure a Let's Encrypt Certificate.
NOTE: It is only possible to configure a Let's Encrypt Certificate on servers that are publicly accessible on port 80.
The section CONFIGURING HTTPS / SSL ACCESS in the SimpleHelp Administrator Guide contains additional information on how to configure a Let's Encrypt Certificate.
Using an Existing SSL Certificate
The remainder of this guide details how you might use an existing SSL certificate purchased from a SSL authority with your SimpleHelp server.
How SSL Certificates Work in SimpleHelp
SimpleHelp expects your certificates to be contain in a certificate store. This ensures that all your certificates and private key information is securely encrypted while held on disk. The certificate store should contain a complete certificate chain, which is usually comprised of:
The intermediate certificates create a link between the trusted root and your certificate, so a browser knows to trust your certificate if it trusts the root certificate.
SimpleHelp supports Java Keystores (JKS) and PKCS12 (PFX/P12) stores.
NOTE: If there are intermediate or root certificates missing the SSL status may appear fine in your browser, but SimpleHelp applications will continue to not load over SSL until this is rectified.
- your certificate and private key,
- a root certificate which identifies the trusted certificate authority, and
- any intermediate certificates required.
The intermediate certificates create a link between the trusted root and your certificate, so a browser knows to trust your certificate if it trusts the root certificate.
SimpleHelp supports Java Keystores (JKS) and PKCS12 (PFX/P12) stores.
NOTE: If there are intermediate or root certificates missing the SSL status may appear fine in your browser, but SimpleHelp applications will continue to not load over SSL until this is rectified.
Testing your SSL Store
Once you upload a SSL store to SimpleHelp, you can test that the correct certificates have been included in the bundle. We suggest using the website:
https://www.digicert.com/help/
which will let you know if the certificate chain is complete or not.
Creating a SSL store from an IIS SSL Certificate
If you have a SSL certificate installed on Windows then it is possible to export the certificate and complete chain using these steps:
You can then upload the .pfx directly into SimpleHelp or you can convert it to a JKS store (instructions below).
- Run the command mmc to open the Management Console.
- Select File > Add / Remove Snap-In
- Locate the Certificates snap-in and add it.
- Select Computer Account > Local Computer and press Finish.
- In the Certificates snap in, expand the tree and locate the Personal folder. Expand the Certificates folder below.
- Right click on your certificate and choose ALL TASKS > Export.
- If prompted, choose to export the private key and to include all certificates in the certificate chain (do not choose to delete the private key).
- You will then be given the option to save a .pfx SSL store.
You can then upload the .pfx directly into SimpleHelp or you can convert it to a JKS store (instructions below).
Converting a PFX / P12 store to a JKS Store
You can easily convert a PFX or P12 PKCS12 store to a JKS Store using the keytool command:
keytool -importkeystore -srckeystore store.pfx -srcstoretype pkcs12 -destkeystore store.jks -deststoretype JKS
Creating a SSL store from an Apache Certificate
Apache uses the following SSL certificate settings:
SSLCertificateFile - the path to your SSL certificate file. This file may also contain the certificate key.
SSLCertificateKeyFile - the path to your SSL certificate private key file. The private key may be contained in the SSLCertificateFile.
SSLCertificateChainFile - the concatenation of PEM encoded certificates which form the certificate chain (the intermediate and root certificates).
Your certificate chain file should include your intermediate certificates and root certificate all appended together. To create a keystore using these files you will need to use openssl:
SSLCertificateFile - the path to your SSL certificate file. This file may also contain the certificate key.
SSLCertificateKeyFile - the path to your SSL certificate private key file. The private key may be contained in the SSLCertificateFile.
SSLCertificateChainFile - the concatenation of PEM encoded certificates which form the certificate chain (the intermediate and root certificates).
Your certificate chain file should include your intermediate certificates and root certificate all appended together. To create a keystore using these files you will need to use openssl:
openssl pkcs12 -export -in SSLCertificateFile -inkey SSLCertificateKeyFile -out store.p12 -name simplehelp -CAfile SSLCertificateChainFile -caname root -chain
If you receive an error Error unable to get issuer certificate getting chain then this indicates that openssl was not able to create a complete certificate chain. Make sure that all intermediate and root certificates are concatenated together in the file SSLCertificateChainFile.
Purchasing a SSL Certificate for SimpleHelp
If you wish to purchase a SSL certificate specifically for your SimpleHelp server then you can follow these steps. SimpleHelp will create a CSR (certificate signing request) that you can provide to your certificate authority when purchasing your certificate. They will then issue you with a reply certificate. In the commands below the following files are referenced:
You can request a certificate and produce a SSL store using these commands:
- root.crt - your certificate authority's root certificate.
- intermediate.crt - your certificate authority's intermediate certificate.
- certificate.crt - the certificate provided to you in response to your CSR by the certificate authority.
You can request a certificate and produce a SSL store using these commands:
- Generate a keystore containing a private key with your details:
keytool -genkey -keysize 2048 -keyalg RSA -alias simplehelp -keystore keystore.jks -storepass password
- Generate a CSR:
keytool -certreq -keystore keystore.jks -alias simplehelp -file simplehelp.csr -storepass password
- Send off the CSR (simplehelp.csr) and get issued with the certificate, as well as any root and intermediate certificates.
- Import the root certificate:
keytool -import -alias root -keystore keystore.jks -trustcacerts -file root.crt
- Import each of the intermediate certificates:
keytool -import -alias intermediate -keystore keystore.jks -trustcacerts -file intermediate.crt
- Import the supplied certificate:
keytool -import -alias simplehelp -keystore keystore.jks -trustcacerts -file certificate.crt
Step (1) creates the keystore with the private key. Step 4, 5 and 6 creates a complete certificate chain. The resulting keystore will have a private key, and 3 certificates.
