TLS/SSL Newb needs DMZ server help

Hi, I’m new to SSL/TLS certs but I have a project I need help on. We are a museum, we have a database that the administrators want to provide access to from the web. Our software provider is requiring me to provide a server on our DMZ that will connect to the internal database info. The server is up, software installed, and is working internally but I need a certificate for it and then I can point a subdomain or folder to it. Can Certify the Web help with this. A couple of SSL providers have turned me down since its not a hosted server ??

thanks for any direction anyone can give.

Hi, the short answer is yes but it does require work and configuration on your part.

The process consists of two stages:

  • getting (or renewing) your certificate, this ends up as a file (or files) on disk.
  • deploying your certificate. This is using the certificate with the actual services (e.g. websites, mail servers, ftp, remote desktop, database servers etc).

Getting a certificate
To get a certificate using Certify The Web, you first specify the domains you want, this is the full name of any site or service you want to use the cert with. e.g. would be an example name you might include on a cert. You then choose (on the Authorization tab) how to prove control of your domains, using either http validation or DNS validation. Http validation (the default) is the easiest for public web servers because you just run Certify on that server and it helps respond to the “challenge” from the Certificate Authority (e.g. the default CA is Let’s Encrypt).

DNS validation depends largely on who hosts your DNS services as to whether it can be automated and will therefore work for you, but it has the advantage of not requiring a public web server to respond to the CA.

Once you’ve done that, you can click Request Certificate to order your (free) cert.

Deploying a certificate
Some things depend on what exactly you want the cert for:

  • is it just for a web site, or does your actual connection to the database server require TLS (e.g. most database servers MySQL, Postgresl, SQL Server etc support TLS connectivity from your frontend server to the database server). If you need the database to use TLS for connections then you need to investigate how to configure certificates for that and how you could automate renewals.

If you just need the cert for a public IIS website then chances are at this point it’s all working and there’s nothing more to do. If you need to deploy it to something else, that then depends on how that service can be configured and you’ll need to refer to their docs. Certify provides a Tasks feature which can perform deployment/copying etc optimised for various services.

Note that you can generally use the free Community Edition of Certify The Web to try stuff out.

1 Like