Creating and Installing SSL Certificates

When using optiSLang Web Service with Transport Layer Security (TLS), you must create SSL certifcates and add them to the configuration file.

Modern browsers accept only certificates of a trusted authority. There are two possible ways to achieve this:

  1. Consult a trusted authority (for example LetsEncrypt) to issue a trusted certificate.

  2. Become a trusted authority by:

    • creating a self signed certificate

    • creating certificate authority files

    • registering the certificate authority in client browsers or operating systems (root certificate)

When using optiSLang Web Service from an external origin (for example, embedded in another environment like Ansys Minerva) using TLS is necessary with modern browsers, as they do not accept unsecured communication. You must also enable cross origin resource sharing (see the cross origin resource sharing section of the table in Editing the Configuration File's Default Settings).

Create the SSL Certificate and Authority Certificate

Use openssl to:

  1. Become your own Certificate Authority

  2. Sign your SSL certificate as a Certificate Authority

######################
# Become a Certificate Authority
######################

# Generate private key
openssl genrsa -des3 -out myCA.key 2048
# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem

######################
# Create CA-signed certs
######################

NAME=ows_machine # Use your own domain name
# Generate a private key
openssl genrsa -out $NAME.key 2048
# Create a certificate-signing request
openssl req -new -key $NAME.key -out $NAME.csr
# Create a config file for the extensions
>$NAME.ext cat <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 192.168.0.13 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF
# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
-out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

Replace Name with the DNS machine name of the server. The [alt_names] section can contain alternative domain names or IP addresses.

Import the CA Certificate in Client Browsers

Import myCA.pem as an authority in the client browser settings. For example, in Chrome go to Settings > Manage certificates > Authorities > Import.

Add SSL Certificate to optiSLang Web Service Configuration

Add the paths to SSL key and certificate files to config.ini configuration file.

[listener]
# SSL key file for optional SSL encryption (https://)
sslKeyFile=[Installation Path]/web_service/ssl/ows_machine.key
# SSL certificate file for optional SSL encryption (https://)
sslCertFile=[Installation Path]/web_service/ssl/ows_machine.crt

Replace [Installation Path] with the full path.