Setting up an SSL hub

About certificates

Before you can setup an SSL protected hub, you must create an SSL certificate for the hub. The SSL certificate is created for a host.domain.tld, example: "secure.extatic.org", and cannot be used on any other hosts. It is possible to register a domain wildcard, like "*.extatic.org" which can be used on any server in the ".extatic.org" domain.

A certificate must either be signed by a Certificate Authority (CA), or self-signed (unknown CA).

Using a CA signed certificate, allows existing ADC clients to verify the identity of your hub directly as truely being the server "secure.extatic.org".
NOTE: You need to be the owner of the domain in order to obtain SSL certificates for it. You cannot get a CA signed certificate for a dyndns.org address.

The other alternative is to self-sign the certificate, which means the client receives a signature from an unknown source, and therefore needs to ask the user if this server is trustworthy or not (typically via a dialog box, or similar). This leaves room for man-in-the-middle-attacks where someone is trying to impersonate your hub, or is being a proxy that can read all traffic between you and the real hub. This can to some degree be mitigated with certificate pinning (which is used in SSH); The first time the client connects it will show the dialog box and ask to continue, but the next times it will just verify that the certificate is the same as first time, if it isn't the client will simply refuse to connect to the hub.

Creating a certificate with a CA

Create an 1024 bits RSA private key using the following command:
openssl genrsa -out domainname.key 1024

Then create a Certificate Signing Request (csr):
openssl req -new -key domainname.key -out domainname.csr

See the "Certificate data" section below for answering the certificate questions.

After this is done, you should send the domainname.csr to your CA for signing, and when the transaction is done you get the certificate from the CA. Save the certificate as dommainname.crt.

Creating a self-signed certificate

Create an 1024 bits RSA private key using the following command:
openssl genrsa -out domainname.key 1024

Then create the certificate (valid for 1 year):
openssl req -new -x509 -nodes -sha1 -days 365 -key domainname.key > domainname.crt

At this point point you will be prompted a few questions, see the section Certificate data below.

Certificate data

When creating a certificate, you are asked a series of questions, follow this guide:

• Two letter country code. Example: DE.
• State or Province Name. Example: Bavaria
• Locality Name. Example: Munich
• Organization Name. The name of your organization or company. Use your name if this certificate is not for any organization)
• Organizational Unit Name. The name of your department within your organization, like sysadmin, etc. (can be left blank)
• Common Name. The hostname of your server. Example: secure.extatic.org
• Your e-mail address

Setting up uhub

Set the following configuration values:
tls_private_key="/path/to/domainname.key"
tls_certificate="/path/to/domainname.crt"
tls_enable=yes
tls_require=yes