Overview
When accessing a secure webpage (HTTPS), a encryption certificate is required. This certificate is used to establish and keep a secure connection between the server and the web browser. These certificates are issued by trusted Certificate Authorities (See Providers) that reside online. Your web browser knows about these authorities and will trust the certificates that they issue.
If you connect using information that doesn’t match the certificate, the web browser by default will not trust the server fully. This is why it shows the red warning or certificate warning.
If you continue with the connection, it will still encrypt your traffic between the web browser and the server, it will just be done with the certificate that is not trusted. This should have no affect on internal servers and servers you trust, but should probably not be used if you do not trust the server. E.G. you banking site should never show this error:
The Error actually states that the (ERR_CERT_AUTHORITY_INVALID) that the Certificate Authority is Invalid. If you click on the “Not Secure” message in the address bar of your web browser, you can view the certificate information:
The Certificate information will contain the address the certificate has been issues for, what date range it is valid for, as well as the Certificate Authority.
If you try and access the server and the certificate date range is not correct anymore or if you are not using the correct address, the certificate error will also show.
Datatex Setup
The initial rollout of Datatex servers, uses a Self Signed certificate. This literally means that the server created the certificate it self. This will cause the above type of errors when you try and access the server, since it doesn’t know the server.
Old servers were issues with certificates that would have expired in 2020-01-01, since they were hard coded with that date. We have updated the certificate creation script to now create a new certificate based on the current day and ending 10 years from that date.
The internal IP of the server will be used as the server address.
Customer certificates
Datatex can load customer specific certificates, that are provided by the client. These certificates need to have the KEY and Certificate files in order to be loaded on the server. If the file format is PFX, please ensure that key is included.
If a passphrase was set, it will also be required.
The Certificate should be issued to a Fully Qualified Domain Name (FQDN) that will resolve to the server’s IP address. The Domain Name Server must be configured to resolve the host name with the correct IP for the server.
A wild card certificate can also be used ( *.datatex.co.za for instance) These are used to reduce the number of certificates that has to be renewed and issued.
Example information for configuring a site:
My Server’s Ip internally on the LAN: 192.168.1.3
From the internet the IP is: 1.2.3.4
The FQDN used to access the server is: myservices.datatex.co.za.
If the FQDN is pinged internally on the local network, the address resolves to 192.168.1.3 and if pinged from the internet, the IP is 1.2.3.4
If you use these IPs in your web browser, you will get to the server and get one of the certificate errors.
If you use the FQDN, Myservice.datatex.co.za, then the certificate will match the address in the browser and trust the certificate.