How can I create/install a SSL Cert for a standalo

2019-04-14 17:11发布

问题:

I am new to SSL and Certificate procurement and this is the first datasnap server I have tried to make using https/ssl.

I have a stand alone Datasnap server (XE4) and I want to create or obtain a SSL that I can use with it so that my rest communications are encrypted.

There is nothing but an IP address associated with the computer running this server.

  • How can I obtain a suitable SSL?
  • Can I purchase a cert that would work with an ip address?
  • eventually I want to use port forwarding to deliver rest queries from the internet to my locally hosted server. How does this affect the cert process?

Thanks, Mark

回答1:

First purchase an SSL certificate from a provider such as GoDaddy or RapidSSL. When purchasing you specify the domain name that the certificate will represent. Obviously you can point the domain name to any IP address you wish by configuring the DNS entries for your domain. I've never configured a certificate to point to an actual IP address but I guess it's possible. Given you want to have your server accept requests from the internet, I would use a domain name so that you can change the IP address if required.

When purchasing your SSL certificate, you will need to provide a Certificate Signing Request (CSR) which you generate on your server computer, specifying the domain name you want to use the SSL certificate for. You can use a utility such as the DigiCert util (www.digicert.com/util) to create your CSR.

Once you have purchased your SSL certificate the provider will prompt you to download your intermediate certificate file (or just copy the text from an email since it's a plain text file). This file is specific to your selected domain name. You will also need to download the root certificate from the SSL provider, this is specific to the SSL provider but not to your domain name. The third file you need is a private key file. You need to generate this, again using the DigiCert utility. You do this by importing the intermediate certificate into the utility, then clicking 'Export' to create a private key - choose the 'key' format.

Now you have your 3 files, for example (file names can be anything you want) :

intermediatecert.crt
rootcert.crt
privatekey.key

For Delphi DataSnap, you need to use a TDSCertFiles component, and link this to your TDSHTTPService component using the 'CertFiles' property. In your TDSCertFiles component, set the following properties :

CertFile : path to your intermediate certificate file e.g. C:\SSL\intermediatecert.crt
KeyFile : path to your private key file e.g. C:\SSL\privatekey.key
RootCertFile : path to your provider's root certificate file e.g. C:\SSL\rootcert.crt

I don't know about XE4, but in XE2 there is a bug with the TDSCertFiles component which means setting the above 3 properties at runtime has no effect - it only ever uses the values set at design-time - see this : http://qc.embarcadero.com/wc/qcmain.aspx?d=107516

Finally, because DataSnap uses Indy and Indy implements SSL using OpenSSL, you need to have the OpenSSL library files either in the same folder as your DataSnap server EXE, or at least on the server's PATH. The 2 files you need are libeay32.dll and ssleay32.dll, and you can download them here : http://indy.fulgan.com/SSL/openssl-1.0.1e-i386-win32.zip

Hope that helps.



回答2:

If you don't want to buy a commercial SSL certificate, you can easily create your own certificates using Windows Server Certificate Authority, or OpenSSL. Using OpenSSL from the command line may be daunting, XCA (http://xca.sourceforge.net/) is a nice GUI wrapper to make certificate management with OpenSSL easy.

You can create a self-signed certificate, or create a proper certificate chain - creating your CA and then use it to generate the server certificate. Remember the common name (CN) in the certificate must match the machine full-qualified name or IP (but it would be better to assign a fqdn, and the use some name <-> IP mapping, the hosts file will suffice if you don't have a DNS). The certificate must have the proper attributes, but I do not know if Datasnap checks them properly.

If you're not proficient with certificares, I'd suggest you to read some tutorials about them, and their management.