*HTTPS and certificates
Software Installation Article | SIA-20220404-MS-01 VDG Sense | Software Installation |
Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website or between applications. HTTPS is encrypted in order to increase security of data transfer. This is particularly important when users transmit sensitive data, such as passwords.
HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). This protocol secures communications by using what’s known as an asymmetric public key infrastructure.
HTTPS prevents websites from having their information broadcast in a way that’s easily viewed by anyone snooping on the network. When information is sent over regular HTTP, the information is broken into packets of data that can be easily “sniffed” using free software. This makes communication over the an unsecure medium, such as public Wi-Fi, highly vulnerable to interception. In fact, all communications that occur over HTTP occur in plain text, making them highly accessible to anyone with the correct tools, and vulnerable to man-in the-middle attacks.
With HTTPS, traffic is encrypted such that even if the packets are sniffed or otherwise intercepted, they will come across as nonsensical characters.
Self signed certificates
Technically self signed certificate means the certificate is signed by the same individual whose identity it certifies. Here, in signing procedure the private key is signed by the owner of the certificate itself (not by trusted Certificate Authority). Self-sign certificate comes up with free of cost which encourages internet users to secure websites and apps with free SSL Certificate.
Drawbacks
In Public Key Cryptography Infrastructure (PKI), the Certificate Authority (CA) must trust the certificate signer to secure the private key & to transmit information. But in self-sign SSL certificate case, the CA is not able to identify the signer and it won’t trust it, due to this the private key will no longer remain secured and get compromised as well. Now, this helps cyber criminals to attack on that website and to steal the information.
VDG Sense
In VDG Sense 2.5 we introduced a preliminary version of HTTPS support in the legacy API and web client. In VDG Sense 2.6 we implemented this for communication between clients and severs as well.
VDG Sense is unable to generate a certificate that can be verified by a certificate authority. These certificates are bound to a hostname (domain). As an installer you need to configure the DNS of this domain yourself as well as issuing a certificate for this hostname. Once you acquired a certificate you need to place the files on the server in the following folder:
C:\ProgramData\VDG Security\SenseOpenAPI\settings
This folder has to be manually created when using version 2.6.8 or higher.
When using 2.6.7 or lower go to https://localhost/config on your server to upload the certificates.
The new certificate needs to replace the existing files.
After replacing the files it is recommended to restart the server completely so these changes are processed for all Sense services.
Certificates have a set expiry date. VDG Sense will automatically renew expired certificate with a self signed certificate.
Certificate must be in PEM format and will be split up in 3 files :
CA bundle
Certificate
Private key