SSL Connection#

Install and run OpenSSL

  • OpenSSL - Download latest OpenSSL binaries required for key generation.

  • PowerShell - Required for CA certificate installation.

Steps to Generate a Self-Signed SSL Certificate#

Root CA Certificate

The Root CA certificate must be installed on each machine that will access the API via SSL. See the Install Certificate section for more details.

Step 1: Generate a private key

openssl ecparam -genkey -name prime256v1 -out DlubalAPICA.key

Step 2: Generate a self-signed certificate

openssl req -new -x509 -days 365 -key DlubalAPICA.key -out DlubalAPICA.crt -subj "/CN=Dlubal API Root CA/C=CZ/ST=Prague/O=Dlubal Software s.r.o./[email protected]"

Step 3: Create a PKCS#12 file

openssl pkcs12 -export -inkey DlubalAPICA.key -in DlubalAPICA.crt -out DlubalAPICA.p12

Managing PKCS#12 in PowerShell (Administrator required)

Step 4: Install the certificate

Import-PfxCertificate -FilePath "DlubalAPICA.p12" -CertStoreLocation Cert:/LocalMachine/root

Step 5: Test the certificate

Test-Certificate -Cert cert:/localmachine/root/18AAE58FDAEB89E3A37BDD450A943BDCAD51751C

Step 6: Remove the certificate

Get-ChildItem Cert:/LocalMachine/root/18AAE58FDAEB89E3A37BDD450A943BDCAD51751C | Remove-Item

Server Certificate

Step 1: Generate a private key for the server

openssl ecparam -genkey -name prime256v1 -out DlubalAPIServer.key

Step 2: Create a Certificate Signing Request (CSR)

openssl req -new -key DlubalAPIServer.key -out DlubalAPIServer.csr -subj "/CN=Dlubal API/C=CZ/ST=Prague/O=Dlubal Software s.r.o./[email protected]"

Step 3: Create a configuration file (.ext)

The file DlubalAPIServer.ext is a text file and should contain the following at a minimum:

[ req ]
req_extensions = v3_req
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = MyPCName
DNS.2 = localhost
IP.1 = 127.0.0.1
IP.2 = 192.168.1.25

In the alt_names section, you can define alternative DNS names, such as the computer name or its IP address(es).

Sign the CSR with the Root CA:

openssl x509 -req -days 365 -in DlubalAPIServer.csr -CA DlubalAPICA.crt -CAkey DlubalAPICA.key -CAcreateserial -out DlubalAPIServer.crt -extfile DlubalAPIServer.ext -extensions v3_req

Configuration via Command Line#

To configure SSL via the command line, use the following arguments. This is a one-time action that writes the configuration to the application’s settings and then closes the execution. Once the configuration is set, the application will start with SSL enabled, and these arguments won’t be needed in the future. If the SSL configuration was already made through the GUI, this step is not necessary.

Example:

RFEM6.exe --ssl-connection-enabled=true --ssl-certificate-path "C:\Certificates\MyLocalCertificate.crt" --ssl-private-key-path "C:\Certificates\MyLocalPrivateKey.key"

For RFEM 6 Server, this configuration only needs to be applied once. It is saved in the configuration files, so other instances will automatically load it during startup.

Python Client#

In Python, SSL must be enabled on the client side and is used together with an API key.

def get_ssl_credentials(path: str) -> grpc.ChannelCredentials:
   cert_file = open(path, "rb"):
   return grpc.ssl_channel_credentials(cert_file.read())

channel_credentials = get_ssl_credentials("C:/.../DlubalAPICA.crt")
channel = grpc.secure_channel('127.0.0.1:9000', channel_credentials)