New Acme client for Embarcadero RAD Studio Delphi and C++ development tools


#1

François Piette’s Internet Component Suite (ICS) V8.58 for Embarcadero
RAD Studio Delphi and C++ development tools adds a new TSslX509Certs
component allowing ICS servers to automatically order, download and
install SSL/TLS certificates from various suppliers, including free
certificates from Let’s Encrypt, and commercial certificates for
DigiCert, Comodo, Thawte and GeoTrust from CertCentre AG. It also
acts as a private CA to issue local certificates.

The TSslX509Certs component automates the process from creating a new
private key and certificate request, placing the order, arranging for
domain validated certificates to be checked by various challenge methods,
collecting the certificate and intermediate, creating PEM and PKCS12 bundle
files with the private key, then copying the files to the web server ready
for automatic installation. The TSslWSocketServer, TSslHttpServer,
TSslHttpAppSrv, TIcsProxy and TIcsHttpProxy components can assign a
TSslX509Certs component to support automatic certificate ordering of
domain validated certificates with very little extra code.

The component supports automated file challenge for Domain Validated certificates,
using an external HTTP server such as IIS or HTTP server component such as
TSslHttpServer or TSslHttpAppSrv to which files may be copied using UNC
shares, or a built-in local HTTP server so the component is self contained.
In all cases, the web server must be accessible from the public internet for the
domain (or domains) for which a certificate is being ordered. The application
can also use an FTP server to copy files to an external HTTP server. DNS
challenge currently require the application to update the DNS server, the demo
application waits a few minutes for the user to manually update the DNS server
which allows wild card certificates to be ordered. A pending feature is
TLS-ALPN SSL SNI challenges for Let’s Encrypt using HTTPS. The component
supports the ACME V1 and V2 protocols as implemented by Let’s Encrypt to
download free domain validated certificates.

Commercial suppliers of certificates have their own APIs, usually using HTTP
REST, currently the component supports CertCentre AG https://www.certcenter.de/,
from where you can buy certificates issued by Comondo, DigiCert (including
GeoTrust, Symantec and Thawte) and GlobalSign, and free certificates from
AlwaysOnSSL (by resellers only), see https://alwaysonssl.com/issue.php.
You need to register with CertCentre AG and open a reseller account to pay
for any certificates bought, although for testing most can be cancelled
within 30 days without charge. CertCentre AG uses OAuth2 authentication
which is complex to set-up, but then mostly invisible. Domain validated
certificates can be purchased and downloaded automatically using file or
DNS challenges, other types of certificates can be ordered and then
downloaded when the order is completed.

The TSslX509Certs component includes a database of certificate orders and pending
challenges, allowing certificates to be re-ordered and the supplier periodically
checked to see if a challenge has been successful when the X509 certificate can
be automatically downloaded and installed. Events are generated upon completion
or failure, allowing the application to inform the user (by email) of certificate
ordering progress.

Although the TSslX509Certs component is integrated with ICS servers, it can be
used in Delphi applications to order certificates for Windows IIS server or
other web, FTP or SMTP servers. No other Delphi components are required and
it may be used by Delphi 7 and all later versions. ICS includes OpenSSL 1.1.1
windows binaries and supports TLSv1.3.

There is more information and downloads at http://wiki.overbyte.eu/ or
https://www.magsys.co.uk/delphi/magics.asp which also include links to the
ICS SVN repository.