Title: Setting up HTTPS

Traction makes it easy to run with HTTPS. After familiarizing yourself with How HTTPS Works, follow these instructions to turn on TLS (the successor to SSL).

First, go to Server Setup | Network, and change the pull-down menu from No Encryption to TLS Encryption.



When you do this, the message, "TLS Encryption requires a server private key. Click here to manage the private key." appears underneath:



Click the link to open the Server Private Key of the Manage Trust Store interface.



If You Already Have a Private Key



Most people don't but if you do, you'll know it. To import an existing private key and certificate pair (you'll have both), first make sure they are in PEM and PKCS8 format (you can use OpenSSL to convert them if necessary). You should now have a .pem file and a .p8 file.



Click the browse buttons and select each file, then click import. The window should update with the correct information, and you should be all set.

Creating a Private Key



To create a new private key, click the generate button:



This will take you to the Generate Key page:



You will need to fill in this form correctly.

Common Name



This is the most important field. You must enter the permanent address of your server, normally its (internal or external) DNS address. For example, if your server's URL is traction.mycompan…, you must enter traction.mycompany.com. Port designations, e.g. :80, :443, :8080 should not be included.

Note: if the address portion of the URL does not exactly match what you enter here, even though you pay for a certificate to be signed, the browser may still complain.

If you do not have DNS set up or another permanent address for your server, you can still proceed with HTTPS configuration, but the browser will complain if the address in the URL doesn't match the address you enter here.

Organizational Unit



Typically a division of an organization, often used for a branch of the company or a specific location.

City, State, Country Code



Standard fare, see the example below.

Key Algorithm



Traction supports RSA and DSA. If you have no reason to select DSA, we recommend sticking with the default RSA.

Key Size



This is the number of bits in the generated key. Longer keys present a greater barrier to people trying to decrypt the data.



Expiration



Choose how long you want this key to be valid. The limit is 10 years.

When you have filled in the form, click the Generate Key button, the Server Private Key page will return, this time showing the details for your private key.



Activate HTTPS



Note: You do not have to activate HTTPS right away; you can do this later once you have a signed certificate, but you can activate it as early as now.

Now that your private key is ready, if you would like to, you can activate HTTPS on the Server Setup | Network page. Switch back to that window and press Apply.

At this point, your server is now in HTTPS mode. Most browsers indicate this by showing a lock icon in the status bar: . Due to the way HTTPS KEEP-ALIVE works, you may be able to continue talking to the server for a limited time without changing the URL, but the communication is now encrypted.

Note that it is typical for HTTPS servers to run on port 443; your preferred configuration may call for a different port. In either case, now may be a good time to change the port number using the Port setting on the Server Setup | Network page. You may also choose to change the port at a later time. While it is not necessary to change the port number, it is not recommended to run Traction in HTTPS mode on port 80, which is usually reserved for ordinary HTTP services.

Before continuing, we suggest you change the URL from http to https. If you changed your port number to 443, you will no longer need a port number on your URL; if you changed your port number to any other number, you will need to make sure that it is on the URL and that it correctly reflects Traction's current port number.

Chances are, unless you imported a signed certificate, the first thing you will see when you connect to the Traction server is a warning from your browser.



You can prevent this dialog by getting your certificate signed (next section). If you would rather not get your certificate signed, you can click View Certificate to show the certificate. In Internet Explorer, this looks like:



If you would like to tell your browser to trust this certificate (and not warn you) you can install the certificate in the browser.

Getting your Certificate Signed



To generate a Certificate Signing Request (CSR), return to the Server Private Key page in the Manage Trust Store dialog and click the Certificate Signing Request Generate button.



This will show a CSR.



You can then copy and paste this into a CA's CSR form. For example, using InstantSSL, this looks like:



Note: Traction won't likely be listed as a server software selection, but what you select shouldn't make a difference.

You can fill in the additional pages, usually just contact and credit card information. Often your certificate will arrive in email within 10 minutes.

Often what you get back is a .zip file containing all the certificates in the certificate chain.



You should unzip this file in preparation for the next step.



In this case, the top-level CA is GTECyberTrustGlobalRoot, then ComodoSecurityServicesCA.

Importing the Signed Certificates



The order you take the next steps in matters; first you must import the certificates that establish the trust chain to your signed certificate, then your signed certificate.

Importing the Trusted Certificates (Trust Chain)



In our example, we need to build the chain from GTE down through Comodo to our certificate. To do this, we first import the GTE Trusted certificate by browsing to the file, tying an optional alias, and clicking Add.



The certificate appears in the list along with the private key.



We repeat the process for the subsequent certificates down the chain. If you don't get the order exactly right, don't worry; as long as all the trust chain certificates are added before your own certificate is imported, Traction should be able to determine the order of the chain.

Here we have imported both trust certificates.



Importing the Actual Signed Certificate



When importing this file, you need to use the Import Signed Certificate section's Import button.

Browse to the file and click Import.



Traction should report Import successful:



Also, the entry for your private key should now look different; rather than just reporting the basic details, it should now show the entire certificate chain:

Before Importing Signed Certificate

After Importing Signed Certificate



Now when you close all your browser windows and reopen the web browser, you should not get any warnings. If you click the lock icon to inspect the certificate, you will see the details. The status will be listed as OK. You will also be able to see the expiration date.



In this case, the free trial certificate is valid for 30 days.

Normal HTTPS setup is now complete.





Attachments:
image623.jpg
image767.gif
image624.jpg
image625.jpg
image768.gif
image627.jpg
image628.jpg
image629.jpg
image769.gif
image630.jpg
image631.jpg
image771.gif
image772.gif
image632.jpg
image636.jpg
image635.jpg
image637.jpg
image638.jpg
image639.jpg
image640.jpg
image641.jpg
image642.jpg
image644.jpg
image643.jpg
Related Articles
Article: Doc264 (permalink)
Date: March 22, 2008; 4:19:33 PM EDT
Author Name: Documentation Importer
Author ID: importer