Scenario 2 - Usage of SSL certificate created by an internal corporate or external Trusted Root Authority
When using SSL certificates that are created by an internal corporate Trusted Root Authority, the following prerequisite steps are required:
The IT organization has already distributed and installed the internal Trusted Root Authority certificate to all PCs in the organization.
The IT organization has already configured the supported web browsers to recognize the internal Trusted Root Authority certificate as valid.
There are no prerequisite steps when using SSL Certificates created by external Trusted Root Authorities (for example, IdenTrust, DigiCert, Sectigo, GoDaddy, etc), because all web browsers are already configured to recognize these certificate authorities.
In both cases, the following steps are necessary.
1. Obtain an SSL certificate for the CONNX REST Server from the chosen Trusted Root Authority.
We recommend that the SSL certificate should have subject alternative names such as:
Localhost
<servername>
<servername>.<fully qualified domain name>
2. Install the SSL Certificate on the CONNX REST Server.
a. Run certlm.msc as administrator.
b. Expand Personal in the left pane, right click on Certificates, and select All Tasks -> Import.
c. Follow the steps in the Certificate Import Wizard to complete the certificate installation.
3. Bind the personal certificate to port 9500.
a. Double click on the installed personal certificate and select Details. Scroll to the bottom of the details list where you will see a field named Thumbprint. Select Thumbprint and you will see the thumbprint value expanded in the text window.
Note:
Depending on the version of Windows, there may be spaces between each byte of the thumbprint. Copy and paste the thumbprint into a text editor. If there are spaces in the thumbprint, remove them in the editor.
b. Prior to attempting to bind the certificate to port 9500, check to make sure there isn’t a certificate already bound to that port. If the CONNX installation program was run prior to following these instructions, a self-signed certificate is created and automatically bound to port 9500. To check for previous bindings, start a Windows DOS command prompt as Administrator and run the following command:
netsh http show sslcert ipport=0.0.0.0:9500
If this command shows a binding that has a Certificate Hash (thumbprint) other than the one you intend to use, the binding needs to be deleted. This will be the case if the CONNX installer already created and bound a self-signed certificate. To delete the binding, run the following command from the same Windows DOS command prompt:
netsh http delete sslcert ipport=0.0.0.0:9500
c. Start a Windows DOS command prompt as Administrator (or if step 3.2 was needed, use the command prompt already open) and run the following command to bind the certificate to the port 9500:
netsh http add sslcert ipport=0.0.0.0:9500 certhash=THUMBPRINT_FROM_PREVIOUS_STEP appid={87c9b46f-ae61-4a10-be41-52c7b89956fa}
Note:
If you need to replace the certificate, you will first need to unbind this one. To do this, issue the netsh http delete command from step 3.2 above
You should now be able to connect to the CONNX REST Server with your browser without receiving any warnings. As stated earlier, if the Trusted Root Certificate is self-signed, the Firefox browser will still issue a warning.