SSL Certificate for stand alone IW Server

[rudyPos]

I have a stand alone IW web server not associated with a IIS web server for example.
I have successfully used a self signed certificate created with the IWCertificateManager.exe.

In the browsers used there is the warning (error) message stating the web site is unsafe (self signed cert).
Allowing the exception then proceeds to the web page(s) and all is well.

I recently decided to use a proper SSL certificate (Sertigo in my case) and I was able to use the certificate
files successfully in the application, HOWEVER now the browser produces a warning (error) message that
the web site is unsafe because the certificate is for a domain, not 127.0.0.1 for example (allow exception etc).  Tech support
for Sertigo indicated in that case a self signed certificate can be used.

I know cyber security is paramount so I am asking what am I missing?  Most notes I read about self signed certificates
is that they are not to be used 'in production'.  Some other posts here on this forum I saw comments that the IWCertificateManager.exe is shipped with other IW applications. How is that carried out at the end site?
I do not think you can get proper SSL Certificate without a domain (a.com or www.a.com). I saw that the more
expensive certificates allow "more" wildcards for the domain parameter(s) but I do not think that is what is needed
for a stand alone IW app.

Any comments or guidance is greatly appreciated.
I stand alone...

[joelcc]

When you generate a certificate you need to generate it for a specific domain. For example: www.yourdomain.com.

Then you need to setup your dns records for this domain (that you purchased) to point to your "public" ip address of the IWserver. (This is usually done through a firewall.) Then all of the users should use www.yourdomian.com to get to your iwserver.

[Alexandre Machado]

Rudy,

You are correct. Self-signed certificates can be only used for development, i.e. testing of your application while you can still use the HTTPS protocol to see how it behaves. But it can't be used in production.

As Joe mentioned above, you need to point your domain (one that you probably have registered as www.yourcompany.com) and point it to the server IP address (the one where the IP application is running on).

Then, whenever you type www.yourcompany.com the Internet DNS servers will resolve that to your server IP (although the request doesn't contain any IP address, only the name of the server). Then the certificate will be correctly accepted by the browser).

[Alexandre Machado]

BTW, there is an extensive document here showing how to create a production-ready SSL Certificate for your IW applications (also for Indy-based SA applications)

https://www.atozed.com/2022/11/creating-...lications/

[rudyPos]

Thank you for all your feedback,  I have seen the link referred to and used the instructions with success.

My environment is an Intraweb stand alone app not connected to the Internet, and the "domain" of the certificate will certainly not be available on the PC running the Intraweb stand alone app. Is there a way on the internal network that has it's own "domain" but not the "domain" in the certificate to make it work? Do many different certificates need to be generated for
use on many different internal networks?
 I do not understand something...

best regards

[DanBarclay]

BTW, there is an extensive document here showing how to create a production-ready SSL Certificate for your IW applications (also for Indy-based SA applications)

https://www.atozed.com/2022/11/creating-...lications/

FWIW, inside the download zip the exe internal file version (Properties|Details) for 1.0.0.3 reads 1.0.0.2.   (a nit that nobody else will care about but thought I'd mention it...)

https://www.atozed.com/intraweb/certmanager/

Dan

[Сергей Александрович]

Good afternoon, Alexander. I'm trying to implement a secure connection on a CA application.
I did everything according to the manual https://www.atozed.com/intraweb/certmanager / .
SSLOptions .Port = 443,
CertFileName, KeyFileName, RootCertFileName – specified .
SA server starts without errors. The connection on port 80 is successful, but an error message is displayed when attempting a secure connection:
https://stk-b.ru / - not protected

NET::ERR_CERT_AUTORITY_INVALID

Maybe somewhere in the server parameters need to install something?

---

The browser shows an error : Invalid certificate

Common Name (CN) stk-b.ru
Organization (O) <Is not part of the certificate>
Department (OU) <Is not part of the certificate>
Common name (CN) (STAGING) Artificial Apricot R3
Organization (O) (STAGING) Let's Encrypt
Department (OU) <Is not part of the certificate>
Date of issue Saturday, March 25, 2023 at 16:36:39
Valid on Friday, June 23, 2023 at 16:36:38

[Сергей Александрович]

Many files have been created in the acmeconfig directory. Please specify which ones should be specified in the parameters of the Indy SA server.

(TIWSSLOptions) (TIWSSLCertificateOptions)
CertFileName
KeyFileName
RootCertFileName

I'm sorry for the stupid question, but what I'm doing does not lead to a result. (secure connection is not working)

[ioan]

Many files have been created in the acmeconfig directory. Please specify which ones should be specified in the parameters of the Indy SA server.

(TIWSSLOptions) (TIWSSLCertificateOptions)
CertFileName
KeyFileName
RootCertFileName

I'm sorry for the stupid question, but what I'm doing does not lead to a result. (secure connection is not working)

I never used the Atozed Certmanager, but if it works just like the win-acme, then you should have the following files:

stk-b.ru-key.pem 
stk-b.ru-crt.pem
stk-b.ru-chain.pem

And here is how you use them:

CertFileName := 'stk-b.ru-crt.pem'
KeyFileName := 'stk-b.ru-key.pem'
RootCertFileName := 'stk-b.ru-chain.pem'

[Сергей Александрович]

thank you for participating. Yes, that's right, that's what I'm doing... It seems that the problem is not how I specify the keys, but in the Windows settings....