SSL Certificates for Cryptography

From HSYCO
Jump to navigation Jump to search

HSYCO supports high-grade cryptography (TLS ECDHE RSA with AES 128 GCM SHA 256, 128 bit keys, TLS 1.2) to protect the communication between the web browser used by HSYCO web interface and the HSYCO web server.

This is considered secure for commercial applications (for example, on-line banking and e-commerce) and for the exchange of classified information.

HSYCO can use either self-generated certificates, or import certificates issued by a Certification Authority (CA).

A Java Virtual Machine version 8 or above is required to fully support HTTPS encryption, and to ensure compatibility with modern Web browsers.


Self-Generated Certificates

When the SSL certificate is generated by HSYCO, and it is therefore not signed by a Certification Authority recognized by the Web Browser, it is normal for the browser to display a security message during the first access to the site or periodically at the beginning of a new session.

This message asks the user a confirmation about the reliability of the server with which it is trying to start a secure session; since the certificate is not signed by a known CA, the browser can’t guarantee the identity of the server. By accepting the certificate, the connection is established and it is possible to proceed normally.

Anyway, even when the certificate is generated by HSYCO, all the exchanged data are protected by cryptography, as with signed certificates.

The auto-generated certificate guarantees the same level of cryptographic protection as an equivalent certificate signed by a CA.

The ServerName parameter in the hsyco.ini configuration file specifies the name used to generate the SSL certificate, necessary for the cryptography of the HTTPS Web traffic, and must correspond to the domain name through which HSYCO is accessible via the Internet.

The certificate is contained in the hsyco.keys file.

When HSYCO is started, if this file is not available, a new SSL certificate is automatically generated according to the name defined in ServerName.

Otherwise, HSYCO simply uses the certificate contained in this file, which could have also been generated by an official Certification Authority (CA).

If an official certificate has not been chosen, this file is thus created and managed by HSYCO without any manual intervention.

If the name defined in ServerName is modified, HSYCO will automatically recreate a new hsyco.keys file the next time it restarts.

Importing the Self-Generated Certificate on your Client

The logout popup

With some browsers and operating systems, like Safari on iOS, permanently importing the self-generated certificate in the local keystore could improve HSYCO's gui usability.

If the certificate is stored in the local keystore, the browser will always accept the HTTPS connection to HSYCO without asking for confirmation. On iOS, and in combination with the HTML5 persistent cache, saving the certificate locally will also significantly improve the gui initialization time.

To download the server certificate's public key in PEM format, simply click the link in the logout panel, then follow the browser or operating system's instructions to save the certificate.

Certificates Issued by Certification Authorities

In order to import a valid certificate issued by a Certificate Authority, the certificate must first be requested, validated and then issued by the CA. HSYCO is compatible with certificates created by the ZeroSSL CA (https://zerossl.com), but other CAs may work as well.

The Certificate Signing Request (CSR) should be generated by the CA.

Once the certificate is created, the CA should allow you to download the following three files:

  • certificate.crt: this file contains the primary SSL certificate
  • ca_bundle.crt: this file contains the intermediate certificate. The ZeroSSL ca_bundle.crt file only one intermediate certificate (ZeroSSL CA). The root certificate that signs this immediate certificate is trusted by all browsers and almost all SSL clients
  • private.key: this file contains the private key.

In the HSYCO main directory, create a new sub-directory called "hsyco.cert", and copy these three files in it.

Check that the ServerName parameter in hsyco.ini matches the certificate's CN (full domain name). Note that HSYCO only supports single-domain certificates, not multi-domain or wildcard certificates.

Restart HSYCO in order to import the new certificate. If the import is successful, the certificate will be stored in the hsyco.keys keychain file, and the hsyco.cert directory will be deleted.