Certy Icon

Certy

User Manual

for version 1.0

Written by Ben Bird - Ben Software Ltd

bensoftware.com

Table of Contents


About

Certy is a Mac application that manages two primary functions for setting up your own web server: Dynamic DNS (DDNS) and SSL/TLS certificate creation.

DDNS is required when your internet connection has a dynamic public IP address - i.e. one that can change from time to time. Certy's DDNS system ensures that your domain name will always point to your public IP address, even when it changes.

SSL/TLS certificates are used to authenticate your web server over secure connections. Certy uses the free certificate authority Let's Encrypt to generate certificates, which can be used by any web server.

The only requirements to use this software are that you own a domain name, and sign up for an account with Zonomi, which is a DNS hosting provider. For basic usage (1 domain with up to 10 DNS records), your Zonomi account will be free of charge.


Domain Name Setup

Purchase a domain name
There are many providers for this, for example names.co.uk in the UK or Namecheap in the USA.

Set DNS servers
Use the control panel supplied by your domain name provider to set the following DNS servers for your domain:

ns1.zonomi.com
ns2.zonomi.com
ns3.zonomi.com
ns4.zonomi.com

Note that when you change a domain's DNS servers, this can take up to 24 hours to take effect.

Open a Zonomi account
Sign up for a DNS hosting account at Zonomi. For a sigle domain and up to 10 DNS records, this will be free of charge. Otherwise, their fees are very reasonable.

Add your domain to Zonomi
In the Zonomi control panel, use the Add a Zone option to add your domain name.


Certy Setup

Open Certy, and select the Preferences option via the Certy menu at the top left the screen:

Enter your domain name, along with the Zonomi API key (this is a long string of numbers, which can be obtained from the Zonomi control panel).

With DDNS enabled, Certy will make connections to Zonomi every 10 minutes to set the IP address of your domain name. By default, your public IP address will be automatically detected, which will work in most situations, but you also have an option here to specify a fixed IP address to use instead.

With certificate creation enabled, Certy automatically generates certificate files and will save them to the locations you specify. The created files are as follows:

Private key
This is used to encrypt the data that your server sends. It should be kept private and never shared with anyone.

Server certificate
This identifies your server to the clients that connect to it. The server certificate encodes your domain name so that clients can verify the authenticity of your server, as well as a public version of your key so that clients can encrypt the data that they send to your server.

Certificate Authority (CA) certificate
This identifies the certificate authority (in this case Let's Encrypt) in order to complete the certificate chain. A valid certificate chain is required for clients to identify the validity of the server certificate. This CA certificate is sometimes called an intermediate certificate.

All three of these files are required for the server to correctly set up a secure connection. Certificates issued by Let's Encrypt expire after 90 days; Certy will automatically renew them every 60 days to keep them well within expiry.

The User interface option determines how visible Certy is: you can choose to keep it in the Dock and/or display a small utility menu at the top-right of the screen. If you choose to hide the Dock icon, Certy becomes more difficult to quit manually; you would have to go back to the Preferences, show the Dock icon, and then quit the software. This is useful when you want to run Certy all the time, with no possibility for it to be quit by accident.

Certy has a window that shows its current status, available from the Window menu:

Note that Certy has to be open and running at all times in order to do its work. Set Certy to automatically open at login by right-clicking on its icon in the dock and turning on this option:


Using Certy with Apache

Here is how to set up Apache with your domain and certificates:

Create a folder to store the certificate files
Apache's setup files are located at /private/etc/apache2, however this folder has limited access permissions and Certy can't create files here. An easy solution is to create your own folder within this location (e.g. /private/etc/apache2/ssl), and then tell Certy to save files within this folder.

The following steps involve editing Apache's configuration files that reside at /private/etc/apache2/httpd.conf and /private/etc/apache2/extra/httpd-ssl.conf (e.g. use a plain-text editor such as TextMate).

Give Apache your domain name
In both httpd.conf and httpd-ssl.conf, locate the ServerName parameter and set it to the your domain name. Remove any # character from the start of the line.

Enable Apache SSL
In httpd.conf, locate the following lines and remove any # character from the start of each line:

Include /private/etc/apache2/extra/httpd-ssl.conf
LoadModule ssl_module libexec/apache2/mod_ssl.so

Configure Apache certificate paths
In httpd-ssl.conf, locate the SSLCertificateKeyFile, SSLCertificateFile, and SSLCertificateChainFile parameters, remove any # characters at the start of these lines, and set them to the paths where Certy is saving these files, for example:

SSLCertificateKeyFile "/private/etc/apache2/ssl/server.key"
SSLCertificateFile "/private/etc/apache2/ssl/server.crt"
SSLCertificateChainFile "/private/etc/apache2/ssl/ca.crt"

Set a weekly reboot
Apache needs to be restarted in order for the new certificates to take effect. Unfortunately, Certy cannot do this, as it requires root access. One solution is set an automatic weekly reboot for your Mac via the Energy Saver system preference. Besides resolving this problem, a weekly reboot is generally a good idea for any server that is meant to be left running unattended for long periods of time.


Using Certy with SecuritySpy

Certy can be used with our Mac CCTV software SecuritySpy in order to allow you to use your own domain name rather than the standard viewcam.me domains that are provided by SecuritySpy. In this case, set Certy to save the certificate files to the SecuritySpy folder that resides within your Home folder. Then, simply enter your domain and Zonomi API key, and turn on DDNS and certificate creation; no other configuration steps are required.