Frequently Asked Questions - Installing SSL on a LiquidOffice Server

In LiquidOffice, by default, any usernames, passwords and form data transmitted between a client and server will be transmitted in clear text, via normal HTTP traffic. This means it is possible for a 3rd party to intercept and read the data. Although this isn’t usually a problem inside an organisations own network, remote or Internet access is required, this should be secured.

During the installation of LiquidOffice, there is an option to enable SSL which, if configured correctly, can encrypt all traffic with the same level of security as on-line banking or any other secure web service.

By default though, LiquidOffice uses a self-signed certificate. Self-signed certificates mean the end users web browser wouldn’t know whether to trust that the server belongs to who it says it does and would therefore display a warning to the user. They could ignore the warning and continue with a secure connection but they can’t be sure whose server they are communicating with. It could be a fake server pretending to be yours, for example!

For testing, internal use or if you have a guaranteed way of distributing the public key to your end users, this configuration is acceptable. However, if users outside of your control will be accessing the LiquidOffice system over the Internet, a Certificate Authority (CA) signed certificate is required.

The CA verifies your identification and then generates a certificate for your server, although there is a cost for this, companies like GoDaddy provide these for as little as £20 per year. Many other providers such as VeriSign, Thawte and Comodo can also be used.

Whether you need to replace your self-signed certificate or install a CA provided certificate these instruction will take you through the process.

Step 1: Create the Certificate Signing Request (CSR)

We have assumed the default installation paths; if yours are different you may need to modify them. Replace the following variables as follows:
{FQDN} – Fully Qualified Domain Name of server, e.g. lo.epc.co.uk or *.epc.co.uk if you need access from more than one name
{OU} – Department responsible for the LiquidOffice server, e.g. ICT
{O} – Company name, e.g. ePartner Consulting Ltd
{L} – Location, e.g. Lightwater
{S} – County, e.g. Surrey
{PASS} – A strong password, e.g. a2sXk4lJvb

From a Command Prompt, type the following, pressing Return at the end of each line:

Path %path%;"C:\Program Files\Cardiff\LiquidOffice\xmlserver\jdk\jre\bin" [RETURN]

CD \ [RETURN]

CD "C:\Program files\Cardiff\LiquidOffice\xmlserver\xmlbase\conf" [RETURN]

Ren losKeystore losKeystore.bak [RETURN]

keytool -genkey -dname "cn={FQDN}, ou={OU}, o={O}, l={L}, s={S}, c=GB" -alias LO [line continues...]
        -keystore losKeystore -storepass {PASS} -keypass {PASS} [RETURN]

keytool -certreq -keystore losKeystore -storepass {PASS} -alias LO -file request.pem [RETURN]

This will create a REQUEST.PEM CSR file, which needs to be used to create the certificate. Below is an example of how the free OpenSSL utility can be used to create a self-signed certificate or, for general Internet and public access, how to request a CA signed certificate.

Step 2 (Option A for Testing Use): Create a Self-Signed Certificate with OpenSSL

Download and compile OpenSSL or for simplicity, the Shining Light Productions implementation includes a simple Windows installer. Either way, it is best to install OpenSSL on to a different PC than your live LiquidOffice server.

Open a Command Prompt on the OpenSSL PC and navigate to the OpenSSL\Bin directory. Then type the following, pressing Return after each line:

openssl req -new -x509 -extensions v3_ca -keyout ca.pem -out ca.crt -days 365 -config openssl.cfg [RETURN]

openssl x509 -in request.pem -out reply.pem -CA ca.crt -CAkey ca.pem -days 365 -req -set_serial 1 [RETURN]

Step 2 (Option B for Production Use): Request a CA Signed Certificate

Go to the Certificate Authority web site of your choice, purchasing either a single server or wildcard SSL certificate. During the process it will ask you to upload the CSR, this means the REQUEST.PEM file (sometimes done by copying and pasting the contents of the file from Notepad in to a field on the CA web site). Once the process is complete it will issue you with a certificate file, in this case we are assuming it will be called REPLY.PEM but it may have another name or extension, so adjust the following lines as needed.

You will also need a copy of the CAs own public certificate, which should be downloadable from their site. In this case we will assume it is called CA.CRT but it may have another name or extension, so adjust the following lines as needed.

Step 3: Installing the Signed Certificate

Whichever method you use, you then need to copy the CA.CRT and REPLY.PEM files in to the CONF folder on your LiquidOffice server and enter the following lines, pressing Return after each:

keytool -import -keystore losKeystore -storepass {PASS} -alias ca -file ca.crt -trustcacerts [RETURN]

keytool -import -keystore losKeystore -storepass {PASS} -alias LO -file reply.pem [RETURN]

Restart your LiquidOffice service and the login page should now be available through a web browser on both HTTP://{FQDN} and HTTPS://{FQDN}

If users continue to use the HTTP link, their data will not be secure, so we would recommend disabling port 80, HTTP traffic to your LiquidOffice server from your firewall and only allowing port 443, HTTPS traffic.