Secure HTTP Server Example

This demonstrates how to run a secure HTTP server.

The example demonstrates:

Refer to the WGX example:

/gecko-os/4/standard/latest/cmd/apps/https-intermediate-certs

for details about the various certificates generated by this example's scripts.

Prerequisites

To run the certificate generation scripts, OpenSSL is required to be installed on your computer

Windows OS

For Windows, you can download prebuilt OpenSSL binaries from here:

https://slproweb.com/products/Win32OpenSSL.html

Linux OS, Mac OS

For Linux and Mac OS, you can install OpenSSL from command line, e.g.: 

apt-get install openssl

Part A) Certificate Generation

Before programming your device with this example app, you must first generate TLS certificates.

The certificate chains generated in this example are as follows: 

Root CA certificate -> Server Intermediate certificate -> Server certificate
Root CA certificate -> Device Intermediate certificate -> Device certificate

NOTE: About Generation Scripts

The following uses Windows commands to generate the certificates.
If you're using Linux/Mac then use corresponding .sh scripts instead of .bat .

NOTE: About the Device Hostname

To run the secure HTTP server we need generate the server certificate.
When a client connects to the Gecko OS HTTPS server, the server gives the client this certificate.
The client validates the server certificate against the root-ca.crt which the client should have locally.

To generate the server certificate, we need to decide on the host name of the Gecko OS device.
The host name is the URL entered into a web browser (e.g https://mydevice.com ).
Gecko OS has several options for host names:

First we need to decide, is Gecko OS connecting to a network or is it creating the network?
i.e will the Gecko OS 'wlan' or 'softap' interface be used?

If the 'WLAN' interface is used, there are two host name options:

If the 'SoftAP' interface is used, there are three host name options:

For this example we'll use the SoftAP interface and DNS server.
The host name is: mydevice.com

Invoke Certificate Generation Script

To generate all the certificates needed by the example, simply invoke the following command: 

cd <project dir>\resources\certificates\scripts
.\generate_cert.bat <hostname>

Where <hostname> is the decided Device hostname from the previous section.

This script will generate the following certificates and keys: 

// Root CA certificate and key
<project dir>\resources\certificates\ca\private\root-ca.key
<project dir>\resources\certificates\ca\certs\root-ca.crt

// Server Intermediate certificate and key
<project dir>\resources\certificates\ca\server\private\server-intermediate.key
<project dir>\resources\certificates\ca\server\certs\server-intermediate.crt

// Server certificate and key
<project dir>\resources\certificates\ca\server\private\server.key
<project dir>\resources\certificates\ca\server\certs\server.crt

// Client intermediate certificate and key
<project dir>\resources\certificates\ca\client\private\client-intermediate.key
<project dir>\resources\certificates\ca\client\certs\client-intermediate.crt

// Client certificate and key
<project dir>\resources\certificates\ca\client\private\client.key
<project dir>\resources\certificates\ca\client\certs\client.crt
<project dir>\resources\certificates\ca\client\certs\client.p12

Part B) Run the Secure HTTP Server

With all the certificates generated, program the application AND resources to the device.
After programming, the following files should be on the device's file system
(e.g. The following files should appear in the output of the ls -l command):

Once the program starts on the device, the SoftAP will automatically be brought up and the secure HTTP server will start.
Refer to the device's log console for further instructions on how to connect to the device via web browser.

Source Files