NetTalk Central

Author Topic: NetTalk API Server - replacing LetsEncrypt certificate with CA certificate  (Read 3019 times)

ProperGary

  • Newbie
  • *
  • Posts: 19
    • View Profile
    • Email
I have my NetTalk API server installed have used the certificates process to successfully obtain the LetsEncrypt certificate.

The client has a wildcard CA certificate for the domain and wants the LetsEncrypt certificate swapped out for the CA verifiable certificate, can anyone advise how this can be done? or point me to instructions? I have looked on the NetTalk documentation but could not locate instructions on how to do this.

Thanks

Gary

Jane

  • Sr. Member
  • ****
  • Posts: 372
  • Expert on nothing with opinions on everything.
    • View Profile
    • Email
It's pretty much the same as using any non-LetsEncrypt certificate.

On the Security tab on the Settings tab of the web server
1. Put something in the "CA Account" entry.  On some servers I literally just have the word "something"
2. In the "Domains" box, put your domain name.  Do not put the star or any prefix.  If your wildcard is for *.propergary.com just put propergary.com

Next question is what format of certificate and private key you have.  You need both.  If the client just gives you the certificate he's purchased it won't have the private key and won't work.  If it's in PFX or PEM format it will contain the private key but you'll need to split it into separate certificate and private key files using OpenSSL.exe
This incantation should work:
Code: [Select]
Openssl pkcs12 ?in MyDomain.pfx ?nocerts ?out MyDomainEncrypted.key
Openssl rsa ?in MyDomainEncrypted.key ?out MyDomain.key
Openssl pkcs12 ?in MyDomain.pfx ?clcerts -nokeys ?out MyDomain.crt

Note that the second step in this process will create an unencrypted private key file.  That was necessary for NetTalk 11 and below and out of habit I still do things that way. NT12 supports a password on the private key but I haven't done it that way yet.

The files you've create from your wildcard certificate need to go in the Certificates folder inside your app's web folder.
They need to be named the same as what you put on the server's configuration page:
propergary.com.crt
propergary.com.key

Read the documentation here:  https://www.capesoft.com/docs/NetTalk12/NetTalkWebSecure.htm
If your app may be accessed by phones or chromeboxes I've found it's important to have the full certificate chain included (see the stuff about intermediate certificates in that link).

HTH

Jane



Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11250
    • View Profile
All what Jane says;

Bear in mind that the wildcard certificate will expire, and obviously you become responsible for replacing it when it does.
(Although with Jane's setup as above, it may automatically replace it when it is 30 days to go, but only with an explicit one, not a wildcard.)
You can prevent it being replaced by leaving the CA field blank. That will short-stop the certificate replacement process.

Given the security issues involved with using a wildcard certificate in the first place, I strongly recommend putting a password on the KEY file, and using that password in the program (NT12).

cheers
Bruce



ProperGary

  • Newbie
  • *
  • Posts: 19
    • View Profile
    • Email
Many thanks Jane & Bruce.

IT company have provided the PFK and also the .CRT and .KEY

The Key file is password protected - I just need them to give me the password and I'm good to go :)

Sorry, should have put in Original post - I'm using NetTalk 12.46