- FFAStrans status monitor
- Webinterface on port 3002
We have an internal certification authority and can create the certificates ourselves.
The only question is, what is the best procedure to do this?
Many thanks for your help, lg Tom
How to secure the Webinterfaces with SSL
-
Thomas Parb
- Posts: 3
- Joined: Thu Jun 12, 2025 10:36 am
How to secure the Webinterfaces with SSL
We would like to use the ...
We have an internal certification authority and can create the certificates ourselves.
The only question is, what is the best procedure to do this?
Many thanks for your help, lg Tom
We have an internal certification authority and can create the certificates ourselves.
The only question is, what is the best procedure to do this?
Many thanks for your help, lg Tom
Re: How to secure the Webinterfaces with SSL
In the Web Interface folder you're gonna find a folder called cert.
Inside you're gonna find cert.pem, key.pem and myserver.cnf which are there as examples (please DO NOT use that certificate it in production).
You'll need to generate your own and there are essentially two ways of doing it: self signed certificates or CA Signed certificates.
For both options, you'll need OpenSSL which you can download from https://wiki.openssl.org/index.php/Binaries
Self signed certificates
Those kind of certificates will be signed by yourself, which means that you'll both create and sign the certificate yourself.
Certificates are generally used to validate the authenticity of a host, which means that if you self-sign this certificate,
any client accessing the webinterface will need to have it saved as trusted, otherwise the browser will report a big red warning.
If you're the administrator of a domain and you're planning to use the webinterface on an internal network only,
then you can easily use this option and deploy the cert via Group Policy to all machines registered to the domain.
If not, then go to option 2, CA Signed Certificates down below.
To generate a self signed certificate, first open cmd (run as administrator).
Then cd to wherever you installed OpenSSL, in my case:
Generate a private key that you will never ever share with anyone else.
This will be generated based on a password you'll choose (memorize the password and store it safely) using AES256:
(when prompted to choose a password, type it and confirm it)
Once you have the key.pem, you need to edit the default example configuration file, namely myserver.cnf.
Edit it with notepad and under "ORGNAME" insert the name of your company (or your own name), then save it.
At this point you're almost done, all you need is to generate the certificate.
To do that, put the edited myserver.cnf in C:\Temp\, then go back to the same cmd as before and type:
you're all done, you can now just collect the key.pem, cert.pem and myserver.cnf,
put them in the cert folder of the webinterface by replacing the example one
and after that you can easily go settings, fill the password field with the password you picked during the creation of the key.pem
and enable the HTTPS mode.
CA Signed certs
Those kind of certificates will be released by a CA Authority, which means that they will be trusted by all modern OS and computers on the web.
CA Authorities are trustworthy organizations which are recognized across the world and are stored in the Trusted Root by various OS.
To do this, we will need to create a CSR (Certificate Signing Request) in which we will ask the Certificate Authority to trust us.
They'll review it and decide whether they'll grant you the certificate or not.
If everything checks out, you'll get a new cert.pem which you'll be able to put in the cert folder of the webinterface
by replacing the example one and you can do the same with the key.pem that you find in C:\Temp.
After that you can easily go to the Webinterface, click on settings, fill the "PK_PASSWORD" field.
with the password you picked during the creation of the key.pem and enable the HTTPS mode on webinterface GUI.
Restart the service (or reboot the host) and you're done.
First things first, let's fire up OpenSSL.
Open cmd (run as administrator) and cd to wherever you installed OpenSSL, in my case:
Generate a private key that you will never ever share with anyone else.
This will be generated based on a password you'll choose (memorize the password and store it safely) using AES256:
(when prompted to choose a password, type it and confirm it)
Once you have the key.pem, you need to generate a CSR (Certificate Signing Request).
The CA (Certificate Authority) will need a few info from you:
1) Country Name (2 letter code)
2) State or Province Name (full)
3) Locality Name (eg, city)
4) Organization Name (eg, company)
5) Organizational Unit Name (eg, section)
6) Common Name (eg, your name)
7) Email Address (your email)
8) A challenge password (a safe password that you can share with the CA, NOT the one you used to generate the key!)
9) An optional company name
As soon as you type the following command, OpenSSL will ask you to fill the info above and it will generate the CSR:
You're all done, grab the code signing request .txt file from C:\Temp and send it to the CA along with the URL of the webinterface.
They'll review it and decide whether they'll grant you the certificate or not.
If everything checks out, you'll get a new shiny cert.pem which you'll be able to put in the cert folder of the webinterface
by replacing the example one and you can do the same with the key.pem that you find in C:\Temp.
After that you can easily go settings, fill the password field with the password you picked during the creation of the key.pem
and enable the HTTPS mode.
Side note:
Sometimes the CA might not send back a .pem as certificate but rather an x509 .cer certificate.
If that's the case, don't despair, you just need to convert it to .pem first.
To do so, you can just:
I hope it helps.
Let me know how it goes and which method you end up picking.
For reference, I've done this very thing myself and we picked method 2 so the CA Signed certs, which I think it's probably gonna be the same way you're gonna do it since you said that you have an internal CA.
Inside you're gonna find cert.pem, key.pem and myserver.cnf which are there as examples (please DO NOT use that certificate it in production).
You'll need to generate your own and there are essentially two ways of doing it: self signed certificates or CA Signed certificates.
For both options, you'll need OpenSSL which you can download from https://wiki.openssl.org/index.php/Binaries
Self signed certificates
Those kind of certificates will be signed by yourself, which means that you'll both create and sign the certificate yourself.
Certificates are generally used to validate the authenticity of a host, which means that if you self-sign this certificate,
any client accessing the webinterface will need to have it saved as trusted, otherwise the browser will report a big red warning.
If you're the administrator of a domain and you're planning to use the webinterface on an internal network only,
then you can easily use this option and deploy the cert via Group Policy to all machines registered to the domain.
If not, then go to option 2, CA Signed Certificates down below.
To generate a self signed certificate, first open cmd (run as administrator).
Then cd to wherever you installed OpenSSL, in my case:
Code: Select all
cd \Program Files\OpenSSL-Win64\binThis will be generated based on a password you'll choose (memorize the password and store it safely) using AES256:
Code: Select all
openssl genrsa -aes256 -out "C:\Temp\key.pem" 2048Once you have the key.pem, you need to edit the default example configuration file, namely myserver.cnf.
Edit it with notepad and under "ORGNAME" insert the name of your company (or your own name), then save it.
At this point you're almost done, all you need is to generate the certificate.
To do that, put the edited myserver.cnf in C:\Temp\, then go back to the same cmd as before and type:
Code: Select all
openssl req -config "C:\Temp\myserver.cnf" -key "C:\Temp\key.pem" -new -x509 -days 7300 -sha256 -out "C:\Temp\cert.pem"put them in the cert folder of the webinterface by replacing the example one
and after that you can easily go settings, fill the password field with the password you picked during the creation of the key.pem
and enable the HTTPS mode.
CA Signed certs
Those kind of certificates will be released by a CA Authority, which means that they will be trusted by all modern OS and computers on the web.
CA Authorities are trustworthy organizations which are recognized across the world and are stored in the Trusted Root by various OS.
To do this, we will need to create a CSR (Certificate Signing Request) in which we will ask the Certificate Authority to trust us.
They'll review it and decide whether they'll grant you the certificate or not.
If everything checks out, you'll get a new cert.pem which you'll be able to put in the cert folder of the webinterface
by replacing the example one and you can do the same with the key.pem that you find in C:\Temp.
After that you can easily go to the Webinterface, click on settings, fill the "PK_PASSWORD" field.
with the password you picked during the creation of the key.pem and enable the HTTPS mode on webinterface GUI.
Restart the service (or reboot the host) and you're done.
First things first, let's fire up OpenSSL.
Open cmd (run as administrator) and cd to wherever you installed OpenSSL, in my case:
Code: Select all
cd \Program Files\OpenSSL-Win64\binThis will be generated based on a password you'll choose (memorize the password and store it safely) using AES256:
Code: Select all
openssl genrsa -aes256 -out "C:\Temp\key.pem" 2048Once you have the key.pem, you need to generate a CSR (Certificate Signing Request).
The CA (Certificate Authority) will need a few info from you:
1) Country Name (2 letter code)
2) State or Province Name (full)
3) Locality Name (eg, city)
4) Organization Name (eg, company)
5) Organizational Unit Name (eg, section)
6) Common Name (eg, your name)
7) Email Address (your email)
8) A challenge password (a safe password that you can share with the CA, NOT the one you used to generate the key!)
9) An optional company name
As soon as you type the following command, OpenSSL will ask you to fill the info above and it will generate the CSR:
Code: Select all
openssl req -new -key "C:\Temp\key.pem" -out "C:\Temp\ffastrans_webinterface_csr.txt"They'll review it and decide whether they'll grant you the certificate or not.
If everything checks out, you'll get a new shiny cert.pem which you'll be able to put in the cert folder of the webinterface
by replacing the example one and you can do the same with the key.pem that you find in C:\Temp.
After that you can easily go settings, fill the password field with the password you picked during the creation of the key.pem
and enable the HTTPS mode.
Side note:
Sometimes the CA might not send back a .pem as certificate but rather an x509 .cer certificate.
If that's the case, don't despair, you just need to convert it to .pem first.
To do so, you can just:
Code: Select all
openssl x509 -in "C:\Temp\cert.cer" -outform PEM -out "C:\Temp\cert.pem"I hope it helps.
Let me know how it goes and which method you end up picking.
For reference, I've done this very thing myself and we picked method 2 so the CA Signed certs, which I think it's probably gonna be the same way you're gonna do it since you said that you have an internal CA.
-
Thomas Parb
- Posts: 3
- Joined: Thu Jun 12, 2025 10:36 am
Re: How to secure the Webinterfaces with SSL
Thanks for your fast reply -
Yes, it will be option2 - i will give it a try
and let you know
regards, Tom
Yes, it will be option2 - i will give it a try
and let you knowregards, Tom
Re: How to secure the Webinterfaces with SSL
There is also support for pfx meanwhile, it just checks if cert.pfx instead of cert.pem exists in the cert folder, if yes it will be taken and no need for key.pem (because we assume the key to be included in the pfx).
Dont forget to enter and save the Private key passphrase on webui admin config (where you enable ssl too).
If you cannot access webint anymore while playing, stop the application and open database config file, disable ssl by writing false instead of true in the json at STATIC_WEBSERVER_ENABLE_HTTPS
All changes to the cert files require a restart of the server.exe application
Dont forget to enter and save the Private key passphrase on webui admin config (where you enable ssl too).
If you cannot access webint anymore while playing, stop the application and open database config file, disable ssl by writing false instead of true in the json at STATIC_WEBSERVER_ENABLE_HTTPS
All changes to the cert files require a restart of the server.exe application
emcodem, wrapping since 2009 you got the rhyme?
-
Thomas Parb
- Posts: 3
- Joined: Thu Jun 12, 2025 10:36 am
Re: How to secure the Webinterfaces with SSL
ok - i just updated to the latest version... but there is no subfolder "cert" in the Webinterface folder...
Any idea why?
regards, Tom
Any idea why?
regards, Tom
Re: How to secure the Webinterfaces with SSL
Oh... nice!
It's not a big deal, you can just create it, all lowercase, with the name "cert", as a subfolder of the root (i.e inside the main webinterface folder) and put the cert.pem and key.pem there and it should work just fine.Thomas Parb wrote: ↑Fri Jun 13, 2025 1:29 pm but there is no subfolder "cert" in the Webinterface folder
By the way, the only reason why I haven't recommended cert.pfx is that, unlike the pem, I haven't actually tested it myself, but I will.