Difference between revisions of "Certificate Engine Properties"
(Initial Create) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
The PRS Certificate Engine allows for communication between the PRS Server and client applications (desktop, mobile and web) to be secured using an SSL certificate. This prevents PRS traffic from being intercepted, and ensures the security of access to the PRS Database. | The PRS Certificate Engine allows for communication between the PRS Server and client applications (desktop, mobile and web) to be secured using an SSL certificate provided by [https://letsencrypt.org LetsEncrypt]. This prevents PRS traffic from being intercepted, and ensures the security of access to the PRS Database. | ||
=== Prerequisites === | |||
In order for the certificate engine to automatically create and renew certificates, please ensure the following: | |||
* The Domain Name(s) to be secured must be owned by your organization and resolve to the external IP address of your router. | |||
* Port 80 must be open on your router and must be forwarded through to Port 80 on the internal IP address of the server. | |||
* All clients (desktop, mobile and web) must be configured to connect using one of the Domain Name(s) specified in this engine. | |||
=== Installation === | === Installation === | ||
To install the PRS Certificate engine, click on the "Add Engine" button at the bottom-left, and select "HTTPS Certificate engine", as shown below: | |||
[[File:Create Certificate Engine.png|frameless]] | |||
The "Certificate Engine Properties" screen will appear. Enter your chosen PRS Domain Name(s), (multiple separated by commas) and email address for notifications, and click OK to create the engine: | |||
[[File:Certificate Engine Properties.png|frameless|600x600px]] | |||
Finally, click the [[File:Engine Stopped.png|frameless|25x25px]] button to start the engine. You can monitor the console that appears to check for errors as required: | |||
[[File:Certificate Engine Operation.png|frameless|600x600px]] | |||
Once the certificate engine has successfully created the certificates, restart your Database and Web Engines to ensure that all PRS traffic is SSL-encrypted: | |||
[[File:Database Engine Certificate Confirmation.png|frameless|600x600px]] | |||
=== Operation === | |||
The PRS Certificate Server works by automating the communication between your PRS system and the LetsEncrypt servers to generate the required certificates. These certificates, once created are downloaded and stored in the PRS Server directory, and detected by the Database and Web Engines at startup. | |||
LetsEncrypt certificates are valid for 90 days only. To ensure continued security, the Certificate engine is designed to renew the certificates after 60 days to ensure that your certificates always remain valid. If a certificate cannot be renewed, the LetsEncrypt servers will begin to email (at the registered contact address) warnings, at which time you need to investigate and correct any issues found. | |||
If the certificate is not renewed before the expiry date, the Database and Web Engines will fall back to non-encrypted communication, to ensure no downtime for your systems. However, this exposes your PRS system to an increased risk of attack and damage, and the underlying certificate issues should be addressed as soon as possible. | |||
=== Manual Certificates === | |||
If LetsEncrypt certificates are not suitable, the PRS Database and Web Engines can be configured to use third party certificate, which can be purchased and downloaded to your PR Server. | |||
To use a manual certificate, you will need to stop the relevant engine, and select the certificate file to use (the Database engine is shown here as an example): | |||
[[File:Database Engine Certificate.png|frameless|600x600px]] | |||
Once you have selected the certificate file, restart the engine to confirm that encryption is now being used, as above. | |||
Latest revision as of 06:40, 23 November 2022
The PRS Certificate Engine allows for communication between the PRS Server and client applications (desktop, mobile and web) to be secured using an SSL certificate provided by LetsEncrypt. This prevents PRS traffic from being intercepted, and ensures the security of access to the PRS Database.
Prerequisites[edit | edit source]
In order for the certificate engine to automatically create and renew certificates, please ensure the following:
- The Domain Name(s) to be secured must be owned by your organization and resolve to the external IP address of your router.
- Port 80 must be open on your router and must be forwarded through to Port 80 on the internal IP address of the server.
- All clients (desktop, mobile and web) must be configured to connect using one of the Domain Name(s) specified in this engine.
Installation[edit | edit source]
To install the PRS Certificate engine, click on the "Add Engine" button at the bottom-left, and select "HTTPS Certificate engine", as shown below:
The "Certificate Engine Properties" screen will appear. Enter your chosen PRS Domain Name(s), (multiple separated by commas) and email address for notifications, and click OK to create the engine:
Finally, click the 
button to start the engine. You can monitor the console that appears to check for errors as required:
Once the certificate engine has successfully created the certificates, restart your Database and Web Engines to ensure that all PRS traffic is SSL-encrypted:
Operation[edit | edit source]
The PRS Certificate Server works by automating the communication between your PRS system and the LetsEncrypt servers to generate the required certificates. These certificates, once created are downloaded and stored in the PRS Server directory, and detected by the Database and Web Engines at startup.
LetsEncrypt certificates are valid for 90 days only. To ensure continued security, the Certificate engine is designed to renew the certificates after 60 days to ensure that your certificates always remain valid. If a certificate cannot be renewed, the LetsEncrypt servers will begin to email (at the registered contact address) warnings, at which time you need to investigate and correct any issues found.
If the certificate is not renewed before the expiry date, the Database and Web Engines will fall back to non-encrypted communication, to ensure no downtime for your systems. However, this exposes your PRS system to an increased risk of attack and damage, and the underlying certificate issues should be addressed as soon as possible.
Manual Certificates[edit | edit source]
If LetsEncrypt certificates are not suitable, the PRS Database and Web Engines can be configured to use third party certificate, which can be purchased and downloaded to your PR Server.
To use a manual certificate, you will need to stop the relevant engine, and select the certificate file to use (the Database engine is shown here as an example):
Once you have selected the certificate file, restart the engine to confirm that encryption is now being used, as above.