Skip to main content

Add a server certificate to a FairCom server

The information in this section describes ways to create secure communications between a FairCom server and its clients.

FairCom products use TLS version 1.3 to encrypt communication between FairCom servers and clients. The Configure the server to use a certificate procedures describe how to configure TLS for FairCom services.

For TLS to work, you need two things created specifically for each host that runs FairCom servers:

If you want a FairCom server to require clients to use client certificates for authentication, you also need the CA certificate file to be added to the server. This is the same CA certificate that you use to create the client certificates.

Clients always need the CA certificate file to ensure it is talking to the correct server rather than a fraudulent server pretending to be the server.

Create a certificate

You can create a certificate differently depending on whether you want to run a FairCom server on the Internet or within an internal network. Most customers run FairCom servers on their internal network.

Internal network vs. Internet

  • If you are securing a FairCom server for use within your internal network, create a self-signed TLS certificate that is designed specifically for the hostname of the computer running the FairCom server.Tutorial: Create certificates using OpenSSL

  • If you are making a FairCom server available on the Internet, submit a certificate signing request (CSR) to a certificate authority (CA). You will have a certificate and a private key designed specifically for the Internet domain name that hosts the FairCom server.

Important

A certificate does not certify the identity of a FairCom server. A certificate uses a network domain name or hostname to certify the identity of a computer on a network. Thus, you only need one certificate per computer unless a computer has multiple network adapters that connect to different networks, then you need a separate certificate for each network.

Tip

When you run multiple FairCom servers on the same computer, you use the same certificate file and private key file for all services provided by all FairCom servers running on that computer.

Configure the server to use a certificate

Things to know

Once you have the server certificate file and private key file, you need to configure a FairCom server to use these files. This is done by adding TLS entries in the services.json file.

A FairCom server provides multiple services that communicate with external computers. These are listed in the "listeners" section of the services.json file.

Example 1. services.json structure
{
  "listeners": [],
  "applications": [],
  "APIs": [],
  "integrationServices": [],
  "transformServices": []
}


The services that require TLS use the following protocols:

Add a server certificate and its private key to a listener

  1. Navigate to and open the services.json file in a text editor.

  2. Navigate to the desired listener.

    Example 2. A listener in the services.json
    {
	"serviceName": "https8443",
	"description": "Port 8443 using TLS-secured HTTPS protocol for REST and Web Apps",
	"port":        8443,
	"protocol":    "https",
	"enabled":     true,
	"tls":         
      {
		"certificateAuthoritiesFilename": "C:/Certificates/ca.crt",
		"certificateFilename":            "C:/Certificates/server.crt",
		"privateKeyFilename":             "C:/Certificates/server.key"
	}
}


  3. Add the following "tls" object:

    "tls":         
{
  "certificateFilename": "C:/Certificates/server.crt",
  "privateKeyFilename":  "C:/Certificates/server.key"
}

    1. Update the "certificateFilename" property value with the full or relative path to the server certificate file.

    2. Update the "privateKeyFilename" property value with the full or relative path to the private key file.

    3. When the certificate and private key are combined into one file, update the "certificateFilename" property with the full or relative path to this file and omit the "privateKeyFilename" property.

Make the FairCom service require clients to use a client certificate for authentication

  1. Navigate to and open the services.json file in a text editor.

  2. Navigate to the desired listener.

  3. Update the "certificateAuthoritiesFilename" property value with the CA certificate.

    "tls":         
{
  "certificateAuthoritiesFilename": "C:/Certificates/ca.crt",
  "certificateFilename":            "C:/Certificates/server.crt",
  "privateKeyFilename":             "C:/Certificates/server.key"
}

    Caution

    When you specify a CA certificate on a FairCom server, it will only accept TLS connections from clients that have valid client certificates signed by the CA in the CA certificate. If you want to disable client certificate authentication, you must omit the "certificateAuthoritiesFilename" property.

Tips

  • To turn on a listener, set the "enabled" property to true.

  • To turn off a listener, set the "enabled" property to false.

  • To change the TCP/IP port of a listener, set the "port" property to a different port number.

  • To add a new listener, copy an existing listener and change the "serviceName" and "port" properties to unique values.

  • Include the "certificateAuthoritiesFilename" only when you require clients to use valid client certificates signed by the CA in the CA certificate.

Transport Layer Security (TLS) is a secure way for computers to communicate. It uses encryption, a certificate file , and a private key file to create secure communications between computers. TLS was formerly called Secure Sockets Layer (SSL). FairCom products support TLS 1.3, which is the latest version.

A server certificate is a certificate that a server computer uses to identify itself to client computers.

A private key is the secret required by TLS to prove the identity of a computer. It is the private key of the public-private key pair that is used to create a computer's digital identity certificate. It is stored in a private key file.

A digital identity certificate is an electronic document used by TLS to allow an application, such as a web browser, MQTT client, or server, to know when it is communicating with an intended computer rather than a fraudulent computer impersonating the intended computer.

CA certificate file

A hostname uniquely identifies a computer on a TCPIP network.

Each computer in a TCP/IP network usually has a hostname assigned to it by a DNS server. When software tries to open a URL, it connects to a DNS server, retrieves the actual IP Address and uses it to connect to the computer.

A certificate signing request (CSR) is a file that contains the identity information needed to create a certificate. A CA creates a certificate by signing a CSR file using its own closely held private key.

A certificate authority (CA) issues digital identity certificates to identify computers to each other using the TLS protocol. Popular CAs include letsencrypt.org and verisign.com.

A certificate file contains the certficate required by TLS to prove the identity of a computer.

A private key file is a file that contains the private key required by TLS to prove the identity of a computer. The private key file contains the private key of the public-private key pair that is used to create a computer's digital identity certificate . The private key file typically has the extension, .key, such as server.key or client.pem.

Secure Hypertext Transfer Protocol (HTTP) is the HTTP protocol running over TLS. It provides secure request-response communications between computers.

Secure Message Queueing Telemetry Transport (MQTTS) is the MQTT protocol running over TLS. It provides secure messaging between computers.

Message Queueing Telemetry Transport over WebSocket Secure (MQTTWSS) is the MQTT protocol running over TLS and WebSocket. It provides secure messaging between computers. It is typically used by single-page browser applications.