Traditional certificates for HTTPS communication are signed and issued by a publicly trusted third party Certificate Authority (CA) from a list that's managed and updated by macOS and Windows.
The CA provides assurance to each machine that the other machine is the one it claims to be, allowing for encrypted communication between devices.
In order for any client machine to trust any website (or server), a trusted Certificate Authority needs to also trust that domain.
Obtaining an SSL certificate for HTTPS requires domain validation, which is a multi-step process, often provided as an annual service by commercial CAs (if you already have a certificate to import, follow the instructions in the EVO guide here).
Alternatively, it's possible to use a self-signed certificate, acting as your own certificate authority.
Using a self-signed certificate is a simple way to generate a certificate that won't expire, quickly and at no cost.
Unlike a domain-validated certificate, self-signing also allows for reserved private (LAN) addresses (192.168.0.0, 10.0.0.0, 172.16.0.0).
HOWEVER: Using a self-signed certificate requires additional configuration for each client workstation, since the workstations' trusted public CAs will have no awareness of the self-signed certificate.
Note: If you'd prefer to create a new domain-validated certificate, EVO can instead generate a certificate signing request (CSR) to be used for that process (with a third party).
Note: If you already have your own domain-validated certificate, follow the instructions in the EVO guide here (or contact support if the menu is unavailable).
The following example shows how to configure a v7 EVO with HTTPS by creating and applying a self-signed certificate.
Prerequisites
- EVO v7.0.268 or higher
- macOS 10.15+ or Windows 10
- Safari or Chrome
WARNING: Do not enable HTTPS until prepared to do so, following the steps in this article. Attempting to access EVO using HTTPS without trusting the certificate on the workstation will result in SSL security errors and problems accessing ShareBrowser and EVO's web interface.
Create a self-signed certificate:
- Navigate to System > Admin Settings (#/admin-settings)
- Locate the Server certificate card
- Click the three-dot menu at the top right of the card
- Select Create certificate
- Select Create self-signed certificate and click Next
- Enter useful information for the certificate you wish to create and click Create
(The certificate is self-signed in this case, so the information entered in these fields is for your benefit)
- Download the certificate before enabling HTTPS
You will then be prompted to download the certificate. If the prompt is missed, you can also manually download the certificate via Export certificate from the Server certificate card’s three-dot menu.
- Click Cancel and manually enable HTTPS later (to avoid any temporary loss of access), or click OK, ENABLE HTTPS and proceed with the steps below.
- Now that EVO has generated an SSL certificate, each workstation needs to be instructed to trust the self-signed certificate before they can establish a secure connection.
macOS
Trusting a self-signed certificate using macOS
- Open Keychain Access
- Locate your self-signed certificate in Finder
- Drag your certificate from Finder into Keychain Access
- In Keychain Access, double click on the certificate that you just dragged in
- Next to Trust, click the drop down arrow to display the trust policies for the certificate
- Next to “When using this certificate”, click the drop down menu and change to Always Trust
Both Safari and Chrome should now recognize your self-signed certificate as trusted. If Firefox is used, it needs a few additional steps:
- Open FireFox and enter about:config in the address bar
- Click Accept the Risk and Continue
- In the field “Search preference name” enter security.enterprise_roots.enabled
- Double click on the value and set to true
The workstation should now be able to establish a secure connection to the HTTPS-enabled EVO in a web browser or ShareBrowser Desktop Client.
If Nomad is used, some additional configuration is needed:
Nomad HTTPS using macOS
- Open Terminal (Applications -> Utilities -> Terminal)
- Navigate to the directory that contains your self-signed certificate. For example:
cd ~/Desktop
cd MyCert - Convert the .crt file to .pem format:
openssl x509 -in evo-web.crt -out evo-web.pem -outform PEM
- Quit Terminal
- Open Finder and navigate to your home directory:
- Hold down the Command, Shift, and H keys at the same time
- Once in your home directory, show all hidden files:
- Hold down the Command, Shift, and Period keys at the same time
- Double click on .sns-nomad-preferences.conf (this file is created when running Nomad for the first time)
- Select Choose Application…
- Select TextEdit
- Locate the line that contains https_pem =
- Carefully change this line’s value to the location of your PEM file; save the file and close TextEdit. For example if your macOS user name is admin that line might be changed to:
https_pem = /Users/admin/Desktop/MyCert/evo-web.pem
- Open Nomad
- Verify that HTTPS is enabled within Nomad:
- Select Help -> HTTPS
- When enabled a checkmark appears next to the menu item. If it’s not already checked then click HTTPS to enable it.
- Nomad should now be able to connect to EVO using HTTPS (once enabled on your EVO).
Windows
Trusting a self-signed certificate using Windows 10
- Locate your self-signed certificate in Explorer
- Double click on the certificate and select Open
- Click Install Certificate…
- Choose either Current User or Local Machine
- Next to “Place all certificates in the following store”, click Browse…
- Select Trusted Root Certification Authorities
- If you’re prompted with a security warning, ensure you select Yes to install the certificate
Both Safari and Chrome should now recognize your self-signed certificate as trusted. If Firefox is used, it needs a few additional steps:
- Open FireFox and enter about:config in the address bar
- Click Accept the Risk and Continue
- In the field “Search preference name” enter security.enterprise_roots.enabled
- Double click on the value and set to true
Note: To manage certificates in Windows 10 run certmgr.msc (for Current User certificates) or
certlm.msc (for Local Machine certificates).
The workstation should now be able to establish a secure connection to the HTTPS-enabled EVO in a web browser or ShareBrowser Desktop Client.
If Nomad is used, some additional configuration is needed:
Nomad HTTPS using Windows 10
If using a self-signed certificate (e.g. evo-web.crt) it will first need to be converted to PEM format. We recommend using OpenSSL. This can be accessed using the Windows Subsystem for Linux, Cygwin, or by downloading an OpenSSL binary (use at your own risk).
- Convert the self-signed certificate to PEM format:
openssl x509 -in evo-web.crt -out evo-web.pem -outform PEM
- Open Explorer and navigate to your home directory:
- Alternatively, hold down the Windows Key and R keys at the same time
- Enter C:\Users\
- Open the directory that matches your username
- Right click on .sns-nomad-preferences.conf
- Select Open with
- Select Notepad and select OK
- Locate the line that contains https_pem =
- Carefully change this line’s value to the location of your PEM file; save the file and close Notepad. For example if your Windows user name is admin that line might be changed to:
https_pem = C:\Users\admin\Downloads\evo-web.pem
- Open Nomad
- Verify that HTTPS is enabled within Nomad:
- Select Help -> HTTPS
- When enabled a checkmark appears next to the menu item. If it’s not already checked then click HTTPS to enable it.
- Nomad should now be able to connect to EVO using HTTPS (if enabled on your EVO).
Note: HTTPS is not currently supported for SDNA workflows.