I need help creating SSL certificate please

Hi,

I am receiving this warning when I try to install this api on a Windows 10 PC.

image

This PC contains a database and is connected to an FTP server and clients connect externally to the FTP.
This PC is going to be published after installing this API. I created a CSR using mmc command in windows using this guide: https://www.entrust.com/knowledgebase/ssl/how-to-generate-certificate-signing-request-using-microsoft-management-console-mmc-on-windows-2012.

I want to now get the SSL certificate.

What is the next step? I am not an expert but I am trying to learn to get this task done.

Thank you so much!

1 Like

TLS (old name: SSL) certificates do not provide any security as firewalls would provide or provide protection from unwanted access. The only thing TLS domain validated (DV) certificates provide is authentication of the hostname and encryption of the connection.

With regard to Let's Encrypt:

2 Likes

Thanks for your answer. I have a firewall already but I need support creating the TLS/SSL certificate.
image

1 Like

The instructions for an Entrust cert from back in 2012 do not apply to certs from Let's Encrypt. The Getting Started page linked earlier is a good start to learn about LE.

For Windows, there are several ACME clients for getting a cert. The Certify The Web client has a gui, good docs, and a good support community of its own. It is probably the easiest to use.

7 Likes

Just to add a bit of general info:

  • If you are sharing your service with other people your service will need a real name, not just an IP address. This involves having a registered domain name (such as your business one) and giving your service a name within that, then pointing that name at the IP address of your service. So if your business domain name was example.com your service name might be tintapp.example.com (or anything you want under your domain name).

  • The point of using certificates from services like Let's Encrypt to get your certificate is because their own root certificate is publicly trusted by most computers and this in turn makes your certificate issued via them trusted as well. It's possible to just use "fake" self-signed certificates using tools like GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like. but other peoples browsers etc won't trust them automatically.

Getting a certificate and using it are two different problems:

  • Use an ACME enabled certificate tool to get your certificate, this involves specifying which service/domain name you want on the certificate, then you need to prove you control that domain. For Let's Encrypt using Certify The Web (which is the app I develop) that's via HTTP (HTTP Validation (http-01) | Certify The Web Docs) or DNS (DNS Validation (dns-01) | Certify The Web Docs) and it's usually the hardest part to get right. Once that's completed you'll have a certificate.
  • Deploying your certificate once you have it is the next step and how that's done depends on the service you are deploying to (that app will auto deploy to IIS if using that). Every type of service is different. Some you copy a file somewhere, some you update a certificate "binding". So for instance an FTP service binding will depend what FTP server you are using, and your software you are using here will also have it's own process for updating the certificate.

For Certify The Web you'll probably want to add the Deploy to Generic Server task and set an output path and filename for your fullchain (e.g. C:\certs\tintapp.example.com.crt) and key (e.g. C:\certs\tintapp.example.com.key - these paths and names are up to you). You then need to tell your service shown in your screenshot to use them.

You will need to repeat this certificate deployment for every renewal every few months. Most services were conceived long before ACME automated certificates existed back when certs were manually renewed once a year at most and many still assume you are using the old way of working.

As an aside, be careful publishing services on your local network to the internet. Once you have opened up your firewall to reach your computer it can be reached by the people you want, and the people you don't want. So for instance you should assume that one day someone will find a vulnerability and achieve full access to that machine and everything it's connected to. That's why it's generally good practice to host these sorts of services on isolated machines, usually cloud hosted such as in Azure or AWS.

3 Likes