Title: Setting up HTTPS

Traction makes it easy to run with HTTPS. After familiarizing yourself with How HTTPS Works, follow these instructions to turn on TLS (the successor to SSL).

First, go to Server Setup | Network, and change the pull-down menu from No Encryption to TLS Encryption.

When you do this, the message, "TLS Encryption requires a server private key. Click here to manage the private key." appears underneath:

Click the link to open the Server Private Key of the Manage Trust Store interface.

If You Already Have a Private Key

Most people don't but if you do, you'll know it. To import an existing private key and certificate pair (you'll have both), first make sure they are in PEM and PKCS8 format (you can use OpenSSL to convert them if necessary). You should now have a .pem file and a .p8 file.

Click the browse buttons and select each file, then click import. The window should update with the correct information, and you should be all set.

Creating a Private Key

To create a new private key, click the generate button:

This will take you to the Generate Key page:

You will need to fill in this form correctly.

Common Name

This is the most important field. You must enter the permanent address of your server, normally its (internal or external) DNS address. For example, if your server's URL is traction.mycompan…, you must enter traction.mycompany.com. Port designations, e.g. :80, :443, :8080 should not be included.

Note: if the address portion of the URL does not exactly match what you enter here, even though you pay for a certificate to be signed, the browser may still complain.

If you do not have DNS set up or another permanent address for your server, you can still proceed with HTTPS configuration, but the browser will complain if the address in the URL doesn't match the address you enter here.

Organizational Unit

Typically a division of an organization, often used for a branch of the company or a specific location.

City, State, Country Code

Standard fare, see the example below.

Key Algorithm

Traction supports RSA and DSA. If you have no reason to select DSA, we recommend sticking with the default RSA.

Key Size

This is the number of bits in the generated key. Longer keys present a greater barrier to people trying to decrypt the data.


Choose how long you want this key to be valid. The limit is 10 years.

When you have filled in the form, click the Generate Key button, the Server Private Key page will return, this time showing the details for your private key.

Activate HTTPS

Note: You do not have to activate HTTPS right away; you can do this later once you have a signed certificate, but you can activate it as early as now.

Now that your private key is ready, if you would like to, you can activate HTTPS on the Server Setup | Network page. Switch back to that window and press Apply.

At this point, your server is now in HTTPS mode. Most browsers indicate this by showing a lock icon in the status bar: . Due to the way HTTPS KEEP-ALIVE works, you may be able to continue talking to the server for a limited time without changing the URL, but the communication is now encrypted.

Note that it is typical for HTTPS servers to run on port 443; your preferred configuration may call for a different port. In either case, now may be a good time to change the port number using the Port setting on the Server Setup | Network page. You may also choose to change the port at a later time. While it is not necessary to change the port number, it is not recommended to run Traction in HTTPS mode on port 80, which is usually reserved for ordinary HTTP services.

Before continuing, we suggest you change the URL from http to https. If you changed your port number to 443, you will no longer need a port number on your URL; if you changed your port number to any other number, you will need to make sure that it is on the URL and that it correctly reflects Traction's current port number.

Chances are, unless you imported a signed certificate, the first thing you will see when you connect to the Traction server is a warning from your browser.

You can prevent this dialog by getting your certificate signed (next section). If you would rather not get your certificate signed, you can click View Certificate to show the certificate. In Internet Explorer, this looks like:

If you would like to tell your browser to trust this certificate (and not warn you) you can install the certificate in the browser.

Getting your Certificate Signed

To generate a Certificate Signing Request (CSR), return to the Server Private Key page in the Manage Trust Store dialog and click the Certificate Signing Request Generate button.

This will show a CSR.

You can then copy and paste this into a CA's CSR form. For example, using InstantSSL, this looks like:

Note: Traction won't likely be listed as a server software selection, but what you select shouldn't make a difference.

You can fill in the additional pages, usually just contact and credit card information. Often your certificate will arrive in email within 10 minutes.

Often what you get back is a .zip file containing all the certificates in the certificate chain.

You should unzip this file in preparation for the next step.

In this case, the top-level CA is GTECyberTrustGlobalRoot, then ComodoSecurityServicesCA.

Importing the Signed Certificates

The order you take the next steps in matters; first you must import the certificates that establish the trust chain to your signed certificate, then your signed certificate.

Importing the Trusted Certificates (Trust Chain)

In our example, we need to build the chain from GTE down through Comodo to our certificate. To do this, we first import the GTE Trusted certificate by browsing to the file, tying an optional alias, and clicking Add.

The certificate appears in the list along with the private key.

We repeat the process for the subsequent certificates down the chain. If you don't get the order exactly right, don't worry; as long as all the trust chain certificates are added before your own certificate is imported, Traction should be able to determine the order of the chain.

Here we have imported both trust certificates.

Importing the Actual Signed Certificate

When importing this file, you need to use the Import Signed Certificate section's Import button.

Browse to the file and click Import.

Traction should report Import successful:

Also, the entry for your private key should now look different; rather than just reporting the basic details, it should now show the entire certificate chain:

Before Importing Signed Certificate

After Importing Signed Certificate

Now when you close all your browser windows and reopen the web browser, you should not get any warnings. If you click the lock icon to inspect the certificate, you will see the details. The status will be listed as OK. You will also be able to see the expiration date.

In this case, the free trial certificate is valid for 30 days.

Normal HTTPS setup is now complete.

Related Articles
Article: Doc264 (permalink)
Date: March 22, 2008; 4:19:33 PM EDT
Author Name: Documentation Importer
Author ID: importer