selfsigned certificate

From 4DWiki

Contents 1 Abstract 2 Creating a certificate authority with OpenSSL 3 Creating a certificate private/public key pair and a certificate request with 4D 4 Sign the certificate request with OpenSSL 5 Install the certificate and private key with your database 5.1 Change 4D Server default HTTP port from 80 and HTTPS port from 443 5.2 Test your certificate with localhost address 6 Want to test with a domain name without buying a DNS name ? 6.1 On OS X 6.2 On Linux 6.3 On Windows 6.4 Testing... 6.5 Clean up... 7 How to handle HTTP/HTTPS connection

[edit] Abstract

This document describe how to generate a selfsigned certificate for 4D using OpenSSL (installed by default on OS X).

[edit] Creating a certificate authority with OpenSSL

First we need to create a certification authority (yourself) :

$ /System/Library/OpenSSL/misc/CA.pl -newca

It will ask you a to create a password for you certificate information. You will need it later.

It does create files in the current directory :

demoCA/
	cacert.pem
	certs/
	crl/
		index.txt
		index.txt.attr
		index.txt.old
	newcerts/
		F4BE45924012BF90.pem
	private/
		cakey.pem
	serial
	serial.old

[edit] Creating a certificate private/public key pair and a certificate request with 4D

C_BLOB($vx_privKey)
C_BLOB($vx_pubKey)

SET BLOB SIZE($vx_privKey;0)
SET BLOB SIZE($vx_pubKey;0)

  `creating a private/public key pair
  `by default 512 bits
GENERATE ENCRYPTION KEYPAIR($vx_privKey;$vx_pubKey)  `;512

  `preparing a certificate request
ARRAY LONGINT($tl_fieldCode;0)
ARRAY STRING(255;$ta_fieldValue;0)

APPEND TO ARRAY($tl_fieldCode;13)  `CN : Common name (eg www.acme.fr)
APPEND TO ARRAY($ta_fieldValue;"")` <= FILL YOUR OWN INFO HERE

APPEND TO ARRAY($tl_fieldCode;14)  `C : Country name (US)
APPEND TO ARRAY($ta_fieldValue;"")` <= FILL YOUR OWN INFO HERE

APPEND TO ARRAY($tl_fieldCode;15)  `L : Locality name (Cupertino)
APPEND TO ARRAY($ta_fieldValue;"")` <= FILL YOUR OWN INFO HERE

APPEND TO ARRAY($tl_fieldCode;16)  `S : State or Province name (California)
APPEND TO ARRAY($ta_fieldValue;"")` <= FILL YOUR OWN INFO HERE

APPEND TO ARRAY($tl_fieldCode;17)  `O : Organisation (Acme)
APPEND TO ARRAY($ta_fieldValue;"")` <= FILL YOUR OWN INFO HERE

APPEND TO ARRAY($tl_fieldCode;18)  `OU : Organisation Unit (Acme online services)
APPEND TO ARRAY($ta_fieldValue;"")` <= FILL YOUR OWN INFO HERE

APPEND TO ARRAY($tl_fieldCode;48)  `E : email (joe@acme.com)
APPEND TO ARRAY($ta_fieldValue;"")` <= FILL YOUR OWN INFO HERE

  `generating the certificate request
GENERATE CERTIFICATE REQUEST($vx_privKey;$vx_certReq;$tl_fieldCode;$ta_fieldValue)

  `saving the public key, private key and certificate request in a folder
C_TEXT($vt_folderPath)
$vt_folderPath:=Select folder("Select a folder for the certificate")
If (OK=1)
	
	BLOB TO DOCUMENT($vt_folderPath+"newkey.pem";$vx_privKey)
	BLOB TO DOCUMENT($vt_folderPath+"pubkey.pem";$vx_pubKey)
	BLOB TO DOCUMENT($vt_folderPath+"newreq.pem";$vx_certReq)
	
End if 

Save the "newreq.pem" in the same directory as "demoCA" (where you are making calls to openssl).

[edit] Sign the certificate request with OpenSSL

$ /System/Library/OpenSSL/misc/CA.pl -sign

It will ask you to confirm signing the certificate and committing the changes...

It will generate a "newcert.pem" file : the certificate file.

[edit] Install the certificate and private key with your database

Move the private key "newkey.pem" next to the structure file (cf 4D documentation about SSL) and rename it "key.pem".

Move the selfsigned certificate "newcert.pem" next to the structure file (cf 4D documentation about SSL) and rename it "cert.pem".

[edit] Change 4D Server default HTTP port from 80 and HTTPS port from 443

Change 4D Server default HTTP port from 80 to 8080 (in database preferences)

Change 4D Server default HTTPS port from 443 to 8081 (in database preferences)

We do this on OS X so 4D can listen on those ports without being launched with root access

[edit] Test your certificate with localhost address

Test with your favorite browser https://localhost:8081/

[edit] Want to test with a domain name without buying a DNS name ?

You can modify your host file to test how your server is behaving with a name (testing multi-homing for instance) :

[edit] On OS X

edit /private/etc/hosts

add the line in the file :

127.0.0.1 www.mydomain.com

save the modification and execute :

$ lookupd -flushcache

[edit] On Linux

edit /etc/hosts

add the line in the file :

127.0.0.1 www.mydomain.com

save the modification and execute :

$ lookupd -flushcache

[edit] On Windows

edit C:\WINDOWS\system32\drivers\etc\hosts

add the line in the file :

127.0.0.1 www.mydomain.com

save the modification and execute :

> ipconfig /flushdns

[edit] Testing...

Test with your favorite browser :

http://www.mydomain.com:8080/

https://www.mydomain.com:8081/

[edit] Clean up...

Don't forget to remove (or comment out) the line from your host file when finished with your tests

[edit] How to handle HTTP/HTTPS connection

In 4D, you can make a difference between unsecure (HTTP) and secure (HTTPS) connexions with this code :

  `In "On Web Authentication" context
If (Secured Web connection)
	`connected via HTTPS - SECURE
	
Else 
	 `connected via HTTP - UNSECURE
	
End if