Supporting SSL for development on pimentaCHAT
If you are working with mobile apps, it is required that your server supports SSL.
pimentaCHAT is a “middle-tier application server”, by itself it does not handle SSL. However, pimentaCHAT works well with several industrial grade, battle-tested, reverse proxy servers that you can configure to handle SSL.
You should find yourself in one of the two situations:
- The pimentaCHAT server is publicly accessible on the internet.
- The pimentaCHAT server is not accessible on the internet.
This doc has been broken down into two separate sections, walking you through either of the camps you might find yourself in.
The pimentaCHAT server is publicly accessible on the internet
If your server is publicly accessible, it is recommended that you use a service like Let’s Encrypt to obtain your SSL certificates. A detailed guide for configuring your choice of SSL Reverse proxy servers is provided here: Configuring SSL Reverse Proxy
If you are using Ubuntu, this can be configured automatically with the help of Snaps. A guide for which is provided here: Installing pimentaCHAT on Ubuntu with Snaps
The pimentaCHAT server is not accessible on the internet
If your server is not accessible on the internet, you will need to provide self signed certificates to configure SSL on the server.
In this doc, we will be creating a self signed root certificate and using it to generate our SSL certificates. The steps written below have been adapted from Self Signed Certificate with Custom Root CA
Step 1: Create Root CA
Create Root Key
Attention: This is the key used to sign the certificate requests, anyone holding this can sign certificates on your behalf. So keep it in a safe place!
openssl genrsa -des3 -out pimentaCHAT-root.key 4096
If you want a non password protected key just remove the -des3
option
Create and self sign the Root Certificate
openssl req -x509 -new -nodes -key pimentaCHAT-root.key -sha256 -days 1024 -out pimentaCHAT-root.crt
Here we used our root key to create the root certificate that needs to be distributed in all the computers that have to trust us.
NOTE: It is not recommended that you distribute this root certificate in production. A breach of the above-generated key will open every device that trusts your root certificate to potential security threats.
Step 2: Create an SSL certificate
Create the certificate key
openssl genrsa -out mydomain.com.key 2048
Here, mydomain.com should be replaced with your IP address (Bonjour local domains work as well!)
Create the certificate signing request
Important: Please mind that while creating the certificate signing request is important to specify the Common Name
providing the IP address or URL for the service, otherwise the certificate cannot be verified.
openssl req -new -key mydomain.com.key -out mydomain.com.csr
Generate the SSL certificate
Here, we are using the mydomain.com
CSR along with the pimentaCHAT-root
CA.
openssl x509 -req -in mydomain.com.csr -CA pimentaCHAT-root.crt -CAkey pimentaCHAT-root.key -CAcreateserial -out mydomain.com.crt -days 365 -sha256
Step 3: Configuring SSL for pimentaCHAT
The mydomain.com.crt
and mydomain.com.key
files generated above will be used as the certificate and the private key to configure SSL.
A detailed guide for configuring your choice of SSL Reverse proxy servers is provided here: Configuring SSL Reverse Proxy
Step 4: Trusting Certificate Authority
All the devices that need to communicate with the server during development, need to trust the root certificate we generated in Step 1
(pimentaCHAT-root.crt
)
- For Apple devices follow the instructions here: HTTPS and Test Servers
- For Android devices follow the link Add & remove certificates, and scroll down to “Work with CA certificates (trusted credentials)”.
Installation instructions for other operating systems can be easily found online.
On successful installation of the root certificate, the device should be able to access pimentaCHAT over SSL.
Troubleshooting
If your device is not able to connect over SSL, please make sure that the URL has https://
explicitly typed out before it.