Getting the right type of ssl certificates can be a pain. Here are some notes on how to get existing certificates and convert them to types we can use in DG3.

Basically to get a secure http connection, you need a few certificates that will be installed on your server. First you need the private key. This is the one that no other than you should have. Then you need a certificate that validates your domain. This can be for a single sub domain (ex. shop.dataease.com) or for all sub domains (ex. *.dataease.com). The last type is called a star domain and can be used to validate all sub domains (in this case: www.dataease.com, licenses.dataease.com, shop.dataease.com etc.). This certificate must be signed by a CA (Certificate Authority). This can be you (self signed) but then no browser will let you watch the page without displaying warnings that you must make an exception for. The best thing to do is using a recognized CA like Verisign, Comodo, GoDaddy, StartSSL etc. These will usually not use their master key for you signing, but another one that is signed by the master key. This means that for the web browser to recognize your certificate, you must give it a chain back to the recognized key that is installed by default in your browser.

So what we need to install a SSL certificate in your DG3 server is, private key, CA signed certificate and the chain delivered by the CA. These files usually have the names somename.key, somename.crt and comename.pem. The .key are your private key, the .crt are the certificate you got from the CA and the .pem are the chain back to the installed browser root certificate for the CA.

There are several other formats for the certificates as well, but usually you can convert them back to the format needed way or other. To do that you can use the tools delivered with DG3 in the form of the openssl.exe command line tool. This document describes the manual method of doing this.

IIS server certificates

If you have an IIS server where you have used the windows tools to create CSR and private keys, will not be found as files on you server. To get the certificates, you will need to export them. This can be done like described here:

  1. Open IIS Manager
  2. In Features View, double click Certificates
  3. Select certificate en click export
  4. Give it a name and a password (take notes of this password as you will need it later)

What you got from IIS is a .pfx file. From this file you can extract the .key file by:

openssl pkcs12 -in certificate.pfx -nocerts -nodes -out privatekey.key
openssl rsa -in privatekey.key -out privatekey.key

You will be asked for password in the process. The last step decrypts and remove the password for use in the server. Now you have the private key. 

If you do not have the public key either, you can extract this form the pfx file as well. 

openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt<br>

You will be asked for password in the process. Now you have two of the components needed by our server. The chains can be downloaded from the CA.

Lighttpd ssl sertificates

The lighttpd server sertificates we set up in DG3 are stored in the apllication under ssl and under webserver ssl for the main definition. Ex 

C:\inetpub\DeployedDG3Apps4\webserver\lighttpd\ssl for the server and C:\inetpub\DeployedDG3Apps4\MyApp\ssl for the application.

The names of the two needed files are always cert.pem for the combined certificate (private and immediate certificate in one file) and a ca-bundle.crt for the chain from the certifying authority. This mean you have to have our private.key in rsa format and the certificate given from the certifyer and combine them into one file your self.

# convert private key to rsa
openssl rsa -in <a href="http://www.example.com.privatekey.key">www.example.com.privatekey.key</a> -out privatekey.key

# create the combined file
type privatekey.key <a href="http://www.example.com.crt">www.example.com.crt</a> > cert.pem<br>

This is the commands in DOS prompt

$SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = cert_dir + "cert.pem"
    ssl.ca-file = cert_dir + "ca-bundle.crt"
    #Config for redirecting sites from https

    $HTTP["host"] == "www.example.com" {
        server.document-root = "/cygdrive/c/inetpub/DeployedDG3Apps4/MyApp/html"
        ssl.ca-file = "/cygdrive/c/inetpub/DeployedDG3Apps4/MyApp/ssl/ca-bundle.crt"
        ssl.pemfile = "/cygdrive/c/inetpub/DeployedDG3Apps4/MyApp/ssl/cert.pem"
 ...

The lighttpd.conf file part for ssl look something like this