Activating SSL/TLS/HTTPS - Renewing certificates - Tutorial

Last Update: 21.05.2024

Prequesites


  1. A valid local certificate must exist in menu Certificates → Local certificates.

  2. An HTTPS listener must be active.

Uploading certificate


The certificate can be uploaded via Certificates → Local certificates using the button at the bottom left:


images/download/thumbnails/177898664/image-2024-5-21_11-50-8-version-1-modificationdate-1716285008307-api-v2.png

Importing certificate via ZIP file


The easiest way to import a certificate is via a zip file.

The following should be included for a valid certificate chain:


  1. Certificate (.crt or .pem).

  2. CA (.crt or .pem).

  3. Private key (only necessary for own certificates, recognisable by the .key file extension).

  4. Intermediate certificate (.crt or .pem if required).


Example:

images/download/attachments/177898664/image-2024-5-21_10-23-43-version-1-modificationdate-1716279822691-api-v2.png


Note: PKCS8 and PKCS1 certificate containers are supported.

Note: PKCS12/PFX certificate containers are also supported. However, there may be problems with the import (usually in conjunction with Windows tools). PFX files can be imported with a tool such as XCA and the certificates can be exported individually. Then proceed as above.

Note: If the zip file is password-protected, please enter the password before uploading the file.

Setting alias/note


Once the certificate has been successfully imported, it appears in the certificate overview.

Right-click on the certificate to set an alias/note with content mycertificate. This is required for the next step.


images/download/attachments/177898664/image-2024-5-21_11-58-7-version-1-modificationdate-1716285486791-api-v2.png

Activating HTTPS listener


To activate an HTTPS listener (HTTPS endpoint), it is sufficient to activate the part in hub.xml (see section Adding an HTTPS listener) and then set the parameter serverCertSubjectName with the abbreviation ksnote:mycertificate. Then restart the Integration Server.


images/download/attachments/177898664/image-2024-5-21_10-54-17-version-1-modificationdate-1716281657464-api-v2.png


Finally, to check whether HTTPS is active, open your GUI in the browser by using https://.

Renewing existing certificates


Existing certificates can be renewed in the same way as described above.

Let's Encrypt


Let's Encrypt automates the replacement of certificates and thus reduces the effort of having to manually replace expired certificates.

Instructions can be found in section Let's Encrypt/ACME/Certbot.