Web Server - SSL - NaviCOPA

Top  Previous  Next

Secure Socket Layer provides secure, encrypted access between a browser and NaviCOPA Web Server. A fuller explanation of this is given below.

 

Depending on your setup you may be restricted to using only one certificate. More details here.

 

Certificates can be obtained from commercial organisations such as Verisign, Globalsign and FreeSSL. FreeSSL will allow you to get a SSL certificate free to try for 30 days.

 

A free certificate is also available from StartCom Free SSL Certification Authority, and this has been successfully tested with NaviCOPA.

 

Generating and installing a Certificate.

 

Press the Generate CSR button to create a Certificate Signing Request (this is an encrypted block of data that contains the name of the server you wish to use the certificate on, your business name and your physical location - this is usually required by the Certificate Provider). Enter your details into the form which pops up.

 

It is very important to enter the correct name for your server - this is the actual name that will be used to access it from the internet, eg www.mydomain.com, home.mydomain.com, www.office.mydomain.com

 

Press the Copy to Clipboard button (and perhaps paste into a text editor and save as a file for safety).

 

Now go to the web site of your chosen Certificate Provider and follow their procedure. You will reach a point where they will ask you to put your CSR into a text box - assuming it is still on your clipboard, you can simply paste it in. You will finally be provided with your certificate, which you should copy to the clipboard (and again maybe put into a text file for safety).

 

Now press the Add button, enter the name of you server (as above) and paste the certificate into the space provided and press the OK button. The certificate will be added to the list, and its details can be inspected by pressing the Edit button.

 

Make sure Enable SSL is ticked on the Ports tab. And if this is a certificate for a virtual host make sure Allow SSL Access is ticked on the Virtual Host screen.

 

Should you for any reason wish to get rid of the certificate, press the Delete button.

 

 

ssl

 

 

 

ssl1

 

How Does SSL work?

 

SSL fulfills two functions:

 

It encrypts data between the client (browser) and server (NaviCOPA) so that it cannot be read by anyone during its passage across the internet.
It provides confirmation to the client that the host to which it is connected is really that host and not someone else impersonating it.

 

The encryption works by using a public/private key combination, and the identification by reference to a certificate from a trusted signing authority from whom the certificate was obtained.

 

Conventionally SSL connections are made to port 443 on the server (though you can vary this for your server on the Ports tab). After the initial request to open a connection, the server sends its public key to the client. The client can now use this to encrypt any data or request sent to the server - only the server can decrypt this, using its private key.

 

Once this initial exchange has taken place, the client sends a randomly generated encryption key to the server. This key is encrypted using the server's public key so only the server can decrypt it. Once this has been successfully set up, this key (known only to this client and server) will be used to encrypt all data between the two during their secure session. At the end of the session, this key will be discarded.

 

How many Certificates can I use?

 

NaviCOPA must decide which certificate to use as soon as the initial request arrives, but the request does not at this stage specify the domain. Therefore NaviCOPA does a DNS lookup for the each of the domains for which it holds certificates, until it gets the IP address of the network interface on which it received the request.

 

This will hold true for any number of certificates, provided each host (domain) has a unique 'real', external IP address which is in use by the network interface through which the request is received. If you have only one external IP address, NaviCOPA will only be able to relate this to one certificate.

 

The network interface handling the traffic to the virtual host must therefore have such a real IP Address (specific to this host), either by this interface having a direct connection to the internet, or the routing to this address being via such a direct connection through the internal network to the interface.

 

In practice however you are most likely to have only one external IP address, and if you have many virtual hosts using this, NaviCOPA will be unable to decide which certificate to use, and will use the first in the list.

 

Also, if NaviCOPA is behind a router and using an internal network address then NaviCOPA will only know about this internal address, not the 'real' address via which it is accessed from the internet. Therefore it will be unable to decide which certificate to use, and again will use the first in the list.

 

Whenever NaviCOPA uses the wrong certificate (because it cannot decide which is the correct one) the browser will report this to the user. The connection will still be properly encrypted, but the user cannot be sure that s/he is talking to the correct host.

 

Unless you are an experienced TCP/IP administrator the best way to use SSL with NaviCOPA is to only have one certificate, and only invite secure connections to the domain corresponding to this certificate.

 

Public and Private IP Addresses

 

Public addresses constitute most of those in use and are routable via the internet.

 

However some address ranges are reserved for use within private networks - these are not routable from the internet, but only within the private network. It is recommended that you use only such private addresses within your internal network.

 

Private IP addresses ranges are:

10.0.0.0 - 10.255.255.255

172.16.0.0 - 172.31.255.255

192.168.0.0 - 192.168.255.255