Using TLS and HTTPS with the SIMCA^®-online Web Server (Q887)

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are cryptographic protocols that provide the communications security when you use HTTPS in a web browser to connect to a web server.

The SIMCA^®-online Web Server supports TLS so that users of the Web API can connect to it securely.

More Information

The version of TLS that is used depends on Windows of the server computer. On a reasonably modern PC, TLS 1.3 is used, but 1.2 also works. The version used can be verified in the browser developer tools, on the Security tab.

To enable TLS on the SIMCA^®-online server, three major steps are needed:

1. An SSL/TLS certificate must be obtained and installed on the server computer.
2. The SIMCA^®-online server needs to be changed to use Transport Layer Security – HTTPS - in the SIMCA^®-online Server Options utility on the Miscellaneous tab under the category Web server settings.
3. Browsers connect using https://server instead of http.

Steps two and three are easy, but step one requires some instructions unless you are very experienced in how TLS certificates are installed in Windows.

Obtain and install a SSL/TLS certificate on the server computer

Since the SIMCA^®-online server likely is inside your corporate network, you can consider if you can obtain a TLS certificate from an internal Certificate Authority. Ask your IT people.

Here are the four steps (labelled A to D) to obtain and install a TLS certificate on the server computer:

A. Create a Certificate Signing Request (CSR)

Go to https://www.digicert.com/csr-creation.htm and click the link Generate a CSR with the DigiCert Certificate Utility. Follow the instructions on screen. (We'll refer to DigiCert's well-written instructions a lot below).

You could also use the Internet Information Services (IIS) Manager. This is a Windows feature that is used to manage web sites (if you don't find it on Start on your server, search for Turn features on or off and turn it on there). The previous link has detailed for instructions for this as well.

Important: The common name in the CSR must match the name of the server computer as seen from the web browsers (servername.yourinternalnetwork.com for example).

B. Contact a Certificate Authority to get the certificate

You then contact a Certificate Authority (CA) and ask it to issue a certificate for your certificate signing request. The certificate authority can be an internal service inside your corporate network, or an external provider on the internet. How you do this depends on the CA you selected. Look at their website. One such Certificate Authority is DigiCert who's instructions we linked to above.

C. Install the certificate on the SIMCA^®-online server computer.

Once you have obtained the certificate from the Certificate Authority, you must install it. Read detailed instructions for IIS Manager on the page https://www.digicert.com/csr-creation.htm. You could also try the DigiCert Certificate Utility to install the certificate (at least if you purchased it from DigiCert).

Important: Make sure you install the private key associated with the certificate by importing a PFX-file (a file with CER-extension does not include the private key).

D. Bind the certificate to the Web Server port number of the SIMCA^®-online

Finally, you must bind the certificate to the Web Server port number of the SIMCA^®-online Web Server so that it can use it.This is described in the article How to: Configure a Port with an SSL Certificate under the heading To bind an SSL certificate to a port number.