PC SOFT

ONLINE HELP
FOR WINDEV, WEBDEV AND WINDEV MOBILE

Home | Sign in | English US
  • Overview
  • Creating a self-signed certificate
  • 1. Downloading and installing the OpenSSL library compiled for Windows
  • 2. Configuring OpenSSL
  • 3. Creating a certification authority
  • 4. Creating a server certificate that can be used with the SocketCreateSSL function
WINDEV
WindowsLinuxUniversal Windows 10 AppJavaReports and QueriesUser code (UMC)
WEBDEV
WindowsLinuxPHPWEBDEV - Browser code
WINDEV Mobile
AndroidAndroid Widget iPhone/iPadApple WatchUniversal Windows 10 AppWindows Mobile
Others
Stored procedures
Creating an SSL certificate that can be used with SocketCreateSSL
Overview
To create an SSL server with SocketCreateSSL, you must use a signed certificate containing a private key.
Several solutions can be implemented:
  • Get an SSL certificate from an accredited certification organization (thawte or verisign for example). We recommend that you contact these entities to find out how to proceed. This certificate can be used with a deployed application for example.
  • Create a self-signed certificate. This certificate can be used for test and/or for a deployed application. To do so, you must use the OpenSSL open source library.
Creating a self-signed certificate

1. Downloading and installing the OpenSSL library compiled for Windows

For more details, see the following page: https://www.openssl.org/community/binaries.html
In the rest of this document, we will assume that:
  • OpenSSL is installed in the <DirInstallOpenSSL> directory
  • a PERL engine is installed on the computer (free PERL engines can be downloaded from Internet).

2. Configuring OpenSSL

  • Edit the file named <DirInstallOpenSSL>/bin/CA.pl
  • Replace the line:
    $CATOP="/.demoCA":
    by:
    $CATOP="./<MYAUTHORITY>";
  • Edit the OpenSSL.cfg file
  • Replace the line:
    [CA_default]
    dir = ./demoCA       # Where everything is kept

    by:
    [CA_default]
    dir = ./<MYAUTHORITY>       # Where everything is kept

3. Creating a certification authority

A certificate authority is an entity that has the power to sign certificates. The client must install the certificate authority in all the "trusted" companies in order for the certificates signed by this authority and not corrupted to be accepted.
  • Open a command line (run cmd).
  • Position in the <DirInstallOpenSSL>/bin directory
  • Enter:
    CA.pl -newca
  • Press [Enter] to create a new CA.
  • Enter the password of the private key (twice). This password is mandatory.
  • Enter the information about the certification authority currently created.
    • The country
    • The state or the region
    • The city
    • The company
    • The service
    • The name of the certification authority
    • An email address
    • A password that must be supplied during the certificate request: as it is a self-signed certificate, no password is required. Validate without entering anything.
    • A company name
    Then, you must re-enter the password that was entered beforehand.
  • At the end of the script, the <MYAUTHORITY> sub-directory was created in the ./bin directory of OpenSSL. You will find in this directory:
    ./cacert.pem (the public part of the certificate that will be used to sign the other ones).<br>
    ./private/cakey.pem (the private key).
  • Copy the "./cacert.pem" file and rename it to cacert.crt. This file must be installed on all the computers that use sockets connecting to servers whose certificate has been signed by this authority.

4. Creating a server certificate that can be used with the SocketCreateSSL function

The server certificate is a certificate that contains a private key and a public key, both signed by a recognized certificate authority (created in the previous step).
  • Create a certificate request. In the command line, type:
    CA.pl -newreq

    Press [Enter] and specify the following information:
    • A password for the certificate (note: This password will have to be specified to import the certificate into Windows).
      This password is mandatory, it must contain between 4 and 500 characters.
    • The country.
    • The state or the region.
    • The city.
    • The company.
    • The service.
    • The full name of server on which the certificate will be installed.
    • An email address.
    • A password that must be supplied during the certificate request: as it is a self-signed certificate, no password is required. Validate without entering anything.
    • A company name.
    Two files are created in the <DirInstallOpenSSL>/bin directory: newreq.pem and newreq.key.
  • Sign the request with the authority created in the command line:
    CA.pl -sign

    The password of the certification authority is requested. Check the signature and the recording by answering "y" to the two following questions.
    The <DirInstallOpenSSL>/bin/newcert.pem file is created.
  • Create the full certificate:
    • In the command line, type:
      CA.pl -pkcs12 "use name"
    • Then, answer the questions by specifying:
      • The password of certification authority.
      • An export password: this password will be requested when exporting the certificate from the certificate store.
      The newcert.p12 file is created in the <RepInstallOpenSSL>/bin directory. This file must be installed on the server. To do so, you must:
      1. Copy the certificate onto the computer.
      2. Double-click this file. The certificate will be visible in the certificate manager (certmgr.msc).
        Caution: The certificate must be installed with the user account of the application or service that will be using it.
During the setup, do not check the "Enable high security level" box: if this option is checked, the password of private key will be requested whenever SocketCreate is called.
Minimum required version
  • Version 12
This page is also available for…
Comments
Click [Add] to post a comment