Certificates to enable HTTPS

We recommend that certificates are stored in the $BSE/security/certs folder, under the client and server sub-folders.

The administrator must install the appropriate certificates in the correct location. Guidance on how to obtain the certificates, see Dealing with certificates.

Client certificates

Client certificates authenticate the client side of a connection to the server side (website or web service). Client certificates can be used to authenticate a user, an organizational unit, or a server. The client certificate is presented to the server during the SSL negotiation. If the server cannot verify the client certificate, the connection is refused.

For security reasons the client certificate must be password protected. The password must be kept secret. Anyone having access to both the certificate and the password can assume the identity of the legitimate owner of the certificate.

Preferably, client certificates must be stored in PEM format in the $BSE/security/certs/client folder.

The client certificate is specified with the SoapService.SetClientCertFile() SOAP function. Its accompanying password is set with the SoapService.SetPrivateKeyPasswd() SOAP function.

Server certificates

So-called server certificates authenticate a server. They can be self-signed (less secure) or signed by a recognized certificate authority (CA) such as VeriSign. The server certificate is presented to the client during the SSL negotiation. The client trusts the server if it has access to the root certificate of the server certificate. If the server certificate cannot be verified, the connection is refused.

Preferably, server certificates must be stored in PEM format in the $BSE/security/certs/server folder. The administrator can decide to store the certificates in another location.

If the SoapService.SetCertAuthorityDir() SOAP function is used, the hashed file names must exist in that directory, and link to or have the contents of the appropriate certificate. An example of a hashed file name is 415660c1.0, which is a hashed file name of the vsign3.pem certificate.

You can also use a so-called CA-bundle, which is a file that contains multiple (root) certificates. In that case the SoapService.SetCertAuthorityFile() SOAP function must point OpenSSL to the file name of the CA-bundle.