NAV

Configuring SSL in SimpleHelp

In order for customers to be able to visit your SimpleHelp server over https:// a valid SSL certificate should be installed. This guide details how you can upload an existing SSL certificate to SimpleHelp, or create a new certificate to use.

When SimpleHelp is first installed, it will create a default self-signed certificate. This self-signed certificate will produce warnings in a web browser that visits your site, and is not recommended for production use. Instead, a trusted certificate issued by a certificate authority should be used. When setting a certficiate there are two options:

  • Let's Encrypt - recommended if your server is available on port 80. Let's Encrypt certificates can be requested and managed by the SimpleHelp server, at no additional cost.
  • Upload an Existing Certificate - SimpleHelp supports a variety of certificates. This is recommended if you already own a certificate for your domain name.

To manage your server's SSL settings follow these steps:

  • log into the Technician Console as a server administrator
  • switch to the Administration tab
  • select the Network Settings section.
  • locate the HTTS / SSL section shown below.

SSL Section Screenshot

You can alter your server's certificate settings by using the Set a SSL Certificate button.

Let's Encrypt SSL Certificates

Let's Encrypt SSL Certificates are free short duration SSL certificates that typically last 90 days. The SimpleHelp server is able to request, download and install these certificates with minimal configuration required. Additionally, the server will automatically renew the certificates after approximately 60 days.

NOTE: It is only possible to configure a Let's Encrypt Certificate on servers that are publicly accessible on port 80. Let's Encrypt servers will verify the domain name of your SimpleHelp server over port 80, so your SimpleHelp server must be available on this port to process the requests.

Let's Encrypt Certificates can automatically be generated by SimpleHelp for any server that is publicly accessible on port 80. When creating a Let's Encrypt certificate you will be presented with the following configuration:

Let's Encrypt Screenshot

X X
Domain The domain name of your SimpleHelp server. This should not include the server ports or any protocols..
Email Address The email address of your server administrator.

If your SimpleHelp server is accessible on multiple domain names then you can generate certificates for each of these by specifying them as a comma-separated list:

domain1.simple-help.com,domain2.simple-help.com,domain3.simple-help.com

Let's Encrypt will validate the domain name entered, so it must match the address of the SimpleHelp server, and must be publicly accessible on port 80. Additionally, the email address will be used to notify you when your certificate is due to expire. Since certificates are free they are valid for a short period. Once a Let's Encrypt certificate has been set up SimpleHelp will automatically renew the certificate for you after 60 days.

Using an Existing SSL Certificate

SimpleHelp supports three ways in which you can use an existing SSL certificate.

  • Certificate and key upload
  • Load Certificates from a directory on the server
  • Upload the certificates and key bundled in a single certificate store.

A valid certificate must include a private key, and all intermediate certificates that lead to a trusted root. The intermediate certificates create a link between the trusted root and your certificate, so a browser knows to trust your certificate if it trusts the root certificate.

Certificate and Key Upload

If your certificate authority issues a private key and certificate to you then you can upload these directly into SimpleHelp. Three files can be provided:

X X
Private Key The file containing your certificate's private key, usually in PKCS8 format.
Certificate The certificate file, usually in PEM format.
Chain Certificates One or more intermediate certificates.

SimpleHelp will attempt to load the private key, and verify that the Certificate and Chain Certificates lead to a trusted root certificate. If successful, the certificate will be applied and used immediately.

Load Certificates from the Server

If your certificate files are located on the SimpleHelp server already, you can instruct SimpleHelp to load them. SimpleHelp will load the certificates, and will reload them when they change on disk. This is particularly useful when using third party utilities to manage your SSL certificates, such as acme.sh.

To start, specify the directory on the server that SimpleHelp should load certificates from. For example, specifying:

/etc/letsencrypt/live/servers.simple-help.com

will instruct SimpleHelp to load the private key, certificate and intermediate certificates from the servers.simple-help.com directory. If successful, the certificate is automatically applied and immediately activated.

NOTE: If there are intermediate or root certificates missing the SSL status may appear fine in your browser, but SimpleHelp applications will continue to not load over SSL until this is rectified.

Upload a Certificate Store

If you have an existing certificate store you can upload this directly into SimpleHelp. SimpleHelp supports PKCS12 / PFX stores, as well as the legacy Java Keystore (JKS) format. When uploading your store ensure the following:

  • the uploaded store must contain the certificate and associated private key
  • the uploaded store must contain any required intermediate certificates

SimpleHelp will load and verify the keystore, and apply the certificate automatically.

NOTE: If there are intermediate or root certificates missing the SSL status may appear fine in your browser, but SimpleHelp applications will continue to not load over SSL until this is rectified.

Viewing the Keystore Details

Clicking the button View Server Keystore Details will request the current keystore details from the SimpleHelp server and will notify you whether the certificate chain is valid. If it is valid, each certificate in the chain will be listed, as follows:

Validation Screenshot

Testing your SSL Store

Once you upload an SSL store to SimpleHelp, you can test that the correct certificates have been included in the bundle. We suggest using the website:

https://www.digicert.com/help/

which will let you know if the certificate chain is complete or not.

Using IIS Certificates

If you have an SSL certificate installed on Windows then it is possible to export the certificate and complete chain using these steps:

  • Run the command mmc to open the Management Console.
  • Select File > Add / Remove Snap-In
  • Locate the Certificates snap-in and add it.
  • Select Computer Account > Local Computer and press Finish.
  • In the Certificates snap in, expand the tree and locate the Personal folder. Expand the Certificates folder below.
  • Right-click on your certificate and choose ALL TASKS > Export.
  • If prompted, choose to export the private key and to include all certificates in the certificate chain (do not choose to delete the private key). Additionally, select TripleDES-SHA1 as the Encryption option.
  • You will then be given the option to save a .pfx SSL store.

You can then upload the .pfx directly into SimpleHelp.

Using Apache Certificates

Apache uses the following SSL certificate settings:

SSLCertificateFile - the path to your SSL certificate file. This file may also contain the certificate key.

SSLCertificateKeyFile - the path to your SSL certificate private key file. The private key may be contained in the SSLCertificateFile.

SSLCertificateChainFile - the concatenation of PEM encoded certificates which form the certificate chain (the intermediate and root certificates).

Your certificate chain file should include your intermediate certificates and root certificate all appended together. To create a keystore using these files you will need to use openssl:

openssl pkcs12 -export -in SSLCertificateFile -inkey SSLCertificateKeyFile -out store.p12 -name simplehelp -CAfile SSLCertificateChainFile -caname root -chain

If you receive the error message Error unable to get issuer certificate getting chain then this indicates that openssl was not able to create a complete certificate chain. Make sure that all intermediate and root certificates are concatenated together in the file SSLCertificateChainFile.

Restricting Ciphers and Protocols

The set of enabled ciphers and protocols that the SimpleHelp server accepts can be configured. By restricting the ciphers and protocols you can control how clients communicate with the SimpleHelp server over SSL / TLS.

To configure the Ciphers and Protocols click on the Advanced Configuration button, which will present the following dialog:

Ciphers and Protocols Screenshot

The optimal configuration for your server will depend on the devices you wish to support. Older operating systems and browsers will be limited in the ciphers and protocols that they support. By restricting the SimpleHelp server you will increase the security of secure communications but will prevent certain devices from connecting.