HTTPs support in MyConnection Server (MCS) requires version MCS 10.1a or above
As a best practice this tutorial documents 4 steps to create the MCS certificate file Using the Windows platform. The certificate file can be transferred and used with MCS on both Linux and Windows platforms.
We recommend performing these steps on Windows even if MCS is installed on Linux.
The 4 steps to enabling HTTPs/SSL in MCS are as follows:
- Create a combined SSL certificate that was provided by a certificate authority for use with MCS.
- Convert the Certificate created in step 1 to an OpenSSL PKCS file.
- Convert the PKS file into Java Key Store (.jks) file for use by MyConnection Server.
- Configure MCS to locate and use the .jks file.
STEP 1: Create the combined certificate file
A valid SSL certificate provided by the issuing certificate authority is required for this step. The certificate must consist of 2 files, example yourdomain.com.crt and intermediateCA.crt.
NOTE: Some certificate providers will have a .PEM file option, for example yourdomain.com.pem. If you have one of these then skip to Step 2.
The two certificate files need to be combined together to create a single file as follows:
- Create and name a folder on the Windows desktop or other suitable location.
- Place the two certificate files to be combined in the named folder.
- Open a Windows command prompt and navigate to the named folder directory
- Enter the command: type yourdomain.com.crt IntermediateCA.crt › certs.txt (see example below) to create the combined file.
- Leave the command window open for continued use in step 2 below
Step 2: Install and use OpenSSL to package the combined certificate file
This step requires the OpenSSL package for Windows (Note: Scroll down to the Download Win32 OpenSSL section for download links. This is a third party OpenSSL resource that we've found the most reliable but is subject to change) in order to convert the combined certificate file to the OpenSSL PKCS file format.
- Install the full OpenSSL install exe appropriate for the processor architecture required (32 bit or 64 bit).
- Once installed, locate the bin directory in the install folder. This should be drive:\OpenSSL-Win64\bin.
- Add the bin directory path to the Windows PATH environment variable to allow OpenSSL to process from the open command prompt window.
- Enter the command line:
CRT method: openssl pkcs12 -export -inkey yourdomain.com.key -in certs.txt -out certs.pkcs12 (see example below).
PEM method: openssl pkcs12 -export -inkey yourdomain.com.key -in yourdomain.com.pem -out certs.pkcs12
- When the password prompt appears. Enter a strong alphanumeric password (8 to 16 characters) and continue.
- The OpenSSL certs.pkcs12 file will be created (important note remember the password use, it will be required in step3 below).
- Leave the command window open for continued use in step 3 below.
Step 3: Create the Java compatible Key Store File (.JKS) to be used by MCS
This step requires the Oracle Java keytool utility.
- Install the Oracle Java JDK.
- Add the JDK bin directory path to the Windows PATH environment variable.
- Enter the command line keytool -importkeystore -srckeystore certs.pkcs12 -srcstoretype PKCS12 -destkeystore certs.jks -deststoretype JKS (See example below)
- When requested enter and verify the new password. The third prompt is asking for the password set in the Step 2 above. For clarity, the .pkcs12 file and the Java .jks file must have the same password as the certificate.
- The java JKS file is now complete and the final step configures MCS to use the new .jks key file
Step 4: Configure MCS so it can find the JKS file
- Open file Explorer and navigate to \MCS root directory\data\ directory.
- For first time implementation, locate and rename the example-https.ini file to https.ini. For certificate updates make sure the https.ini reflects any changes to the password or JKS name.
- Copy the .JKS file created in step 3 above to the MCS root installation directory/data/ directory.
- Edit the https.ini file to amend the SSLKeyStoreFileName setting to reference the JKS file name, JKS password, and domain name that will be used by MCS (See example Notepad file below)
- The certificate configuration process is now complete. MCS should be stopped and restarted to enabled HTTPS. Thereafter, any user login requests initiated over on HTTP will be automatically be protocol redirected to HTTPS.