SSL Certificates for my distributable HTTPS server

I want to move from FTP to HTTPS due to Firewalls being nasty to FTP.
For HTTPS I will need a SSL Certificate.
   Can I get free valid certificates anywhere ?
   Should I distribute my certificates while deploying my Application ?
I use Delphi (ICS HTTPS component) and my application runs on Win OS.
I have developed a backup application which is installed on every machine of my customers.
The HTTP Server will only be installed on the Destination machines and monitoring machine.
Allan_FernandesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chinmay PatelChief Technical NinjaCommented:
Hi Allan,

I use https://letsencrypt.org/ for all my certificates (including Wildcard ones). Your certificate, if you take it from a valid certification authority(Let's Encrypt is one) then you don't have to install it on your client's machine. In case, you are self-signing i.e. generating your own certificate, on your own server then yes it has to be put in to the trusted certificates store.

You can use any of the tools available at https://letsencrypt.org/docs/client-options/ to generate/manage your certificates.

Regards,
Chinmay.
1
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
As Chinmay said, use LetsEncrypt...

And... There's no requirement for an SSL cert to fix your problem.

1) You can't run FTP over HTTPS without some serious proxy code at the server end.

Likely you've never done this before, because... the complexity... well, this is why hardly anyone does this.

2) Just run SFTP (port 22), which requires no SSL cert.

Describe more about what you're trying to accomplish... files you'll be transferring... likely someone can provide you with an HTTPS solution.

3) Also I think you have a slight misunderstanding about how FTP + HTTPS + Certs work.

An SSL cert (really TLS cert, as SSL has been deprecated for years) is associated with a host or domain or wildcard space.

SSL certs as such only cover the IP(s) returned from a DNS lookup for a host/domain.

You can't *"distribute my certificates while deploying my Application"* or better said you can include any files you like + including cert files will have no effect as...

Certs cover servers, not clients.

Maybe you've confused SSH key files with SSL certs. These are two different beasts.

If you'd like to include an SSH key file with your application, for SFTP use, you can + this becomes massively tricky too.

You'll have to include an empty passphrase key, as having a passphrase key will require you keep the passphrase in clear text somewhere in your app, so having a passphrase serves no function.

Then anyone with your SSH/SFTP key can access a client's data on your server anytime they like.

Describe your application in detail + likely someone can assist.

If your application or data is sensitive, then hire someone who does this work daily (hard core, bi directional, secure data flow).
0
Allan_FernandesAuthor Commented:
I have developed a backup Application which communicates across machines with FTP protocol.
FTP Servers are listening on the Destination machine, Ftp Clients on the others. The Application with FTP Server is being killed by the AntiVirus.
Therefore I considered moving my application to  HTTPS.
On Destination machine I will have a HTTPS Server Running and Clients machines will Send and Receive files via with HTTP Client component.
After your advice I have checked the SFTP protocol and https://www.devart.com/sbridge/ seems to have what I need.
Was hoping the components would be Free.
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
You have several problems.

The first + biggest is if you're running your FTP server code (what it sounds like) on various machines which will live behind firewalls.

Most firewalls (ISPs + businesses) block listening ports, so you can run any server you like + access to this server will likely be blocked.

Makes no difference if it's FTP or SFTP or HTTPS, the consideration here is if you have a service listening on an IP/port which can be firewalled, then even if you get one of these servers working, any change with internal policy can knock communications offline.

The reason API systems exists, is so machine can call these systems to do connections over port 80 + 443.

In this case any client machine which can access the Web, can proxy requests over 80 or 443.

You can achieve near 100% connectivity if you take this approach.

Taking your approach of running server code on random machines will always fail differently each day (as companies change their policies).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Allan_FernandesAuthor Commented:
1) The ports I am using in my Test Applications are the standard ports yet upon Listening the Firewall asks Allow/Block ?

2) Difference with FTP Server was that Antivirus terminated the program with error message. All others Servers including SFTP it is asking Block/Allow. This is manageable as per customer I will have just 1 or 2 Destination machines (Listening Servers)

3) I have yet to study SFTP and SSH further. From the looks of it seems that it handles it's own key generation logic ?

4) A big Thank You for all the support you are giving. I wish I had got this kind of advice earlier. I Ran my application using Raw Sockets all this while and had to do a lot of coding,
0
Chinmay PatelChief Technical NinjaCommented:
i have a little disagreement on the line


Certs cover servers, not clients.

There is a client side authentication using certificates, its just that it is so complex and difficult to maintain, that people just don't do it unless there is a very strong need for it. But I have seen people doing it (many times).

All the best with your implementation.

Regards,
Chinmay.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Delphi

From novice to tech pro — start learning today.