Using TLS

<< Click to Display Table of Contents >>

Navigation:  Security >

Using TLS

Transport Layer Security (TLS) authenticates your site to users and encrypts their communication with your site. Using TLS is strongly recommended becasue:

 

1.Modern web browsers are making it increasingly difficult to connect to insecure web sites;

 

2.Even if the data is not confidential,  without a TLS certificate user names and passwords will be passed unencyrpted to ResSched.

 

Ports and TLS certificates are managed in the Connections tab of the ResSched server application. The Domains list can include fully qualified domains (e.g., yourorganization.com or yourdepartment.yourorganization.com), and local DNS names for the machine acting as the ResSched server.

 

Before you can use TLS you must have valid TLS certificate (.crt) and key (.key) files for your domain(s). If you already have these files, copy them into the certificates folder just below the main ResSched folder). Run ResSched.exe and in the Secured Port field of the Connections tab enter 4431. Confirm the Certificates Folder entry is correct, enter the domain(s) covered by the certificates in the Domains box, click Save Changes. and restart ResSched.

 

TLS replaces SSL (Secured Socket Layer) which is now considered obsolete.

 

Use

 

Users connect to your secured server by using https: instead of http: in the URL.

 

 

1  You can use a different port if necessary (usually 8443) but if you do your users must include the port number in the URL.  E.g., https://www.yoursite.com:8443

 

 

Acquiring Certificates

 

You can acquire valid certificates for your existing domains two ways:  

 

1.If you only need to encrypt communications and authenticate an existing domain,  use Let's Encrypt.   ResSched incorporates Let's Encrypt functionality to automatically generate and update TLS certificates for the your domain on the server ResSched is running on.

 

2.Purchase from a trusted Certificate Authority such as Verisign, Thawte, or Sectigo. There are many CA's to choose from.  Some large organizations have contracts to acquire all their domain certificates from one CA. To help with that process, ResSched can generate Certificate Service Requests (CSR) for all the domains

 

 

To use Let's Encrypt:

 

On the Connections tab of the ResSched application:

 

1.Set the Unsecured port to 80  and the Secured port to 0 and confirm that your chosen domain allows you to connect to ResSched from the Internet without TLS. There are several free on line services that will test that your domain reaches ResSched (search "Is my web site down")

 

2.Enter the name of your organization in the CA Account field and the domain name(s) in the Domains box one per line.   Click the Get Certificates button and wait.

 

3.Over the next few seconds the Certificate Activity box should show Let's Encrypt contact the server and process your certificate request.  Your certificates are delivered to your Certificates folder. Let's Encrypt will only provide certificates for fully qualified domains.  Any local DNS names in the domain list will be self signed

 

4. After you see the certificate files created,  enter your preferred secure port (default 443),  save your changes and restart ResSched.

 

If another application is already using port 80, you must specify a folder that can be accessed by that application in the Acme Web Folder field.

 

Before generating a real certificate from Let's Encrypt, you should turn on Testing and do a test run. Turning Testing on will let you try out your settings without being suspended by Let's Encrypt for too many failed attempts.  The certificates generated with Testing on are real but not trusted; they generate the same warnings as self signed certificates.  Once you have confirmed Let's Encrypt is generating test certificates for your domains; uncheck the Testing box, remove the test .crt and .key files  from the certificates folder, and click Get Certificates.

 

 

Self Signed Certificates

 

ResSched can also generate self signed certificates suitable for testing and internal use. Enter your organization name in CA Accounts and enter the machine name of your server or domain you wish to use in the Domains list. Click the Get Certificates button.  The Certificates Activity box should show the certificates being generated.   While self signed certificates will encrypt communication between server and browser, they are not trusted by browsers.  Your users will get a very visible warning that the site is not secure because the certificate cannot be confirmed as valid.  Your users must confirm they want to connect anyway.

 

Automatic Updating of Certificates

 

Whether using Let's Encrypt or self signed certificates,  ResSched checks every day to see if the certificates are expiring in the next 60 days.  If they are, ResSched will get or generate new ones good for the next 90 days.  You can initiate the process manually by clicking the Get Certificates button

 

Let's Encrypt needs to use port 80 to create and renew certificates.  To automatically update a Let's Encryp certificate leave 80 in the insecure port field.  When a secure port is entered, ResSched will block any attempts to use port 80 for anything except Let's Encrypt traffic.