0

I am working for a software editor and we deliver to our clients a turnkey solution that the client has just to install on his server to use it. This solution is a web service who uses HTTPS to communicate. This web service can be public (accessible from the Internet) or not, client choice. To enable HTTPS, we provide in our solution a self-signed certificate (this certificate is the same for all our different clients but specific to our solution).

Now, a client is asking us if we could deliver the solution with a trusted SSL certificates (to avoid ERROR_SELF_SIGNED_CERT in their browser when connecting to the service).

My question is: is it possible to provide a trusted certificate in our solution? If yes, how? If no, what can we suggest to the client to answer to his request?

Pierre
  • 103
  • 4

2 Answers2

1

You should allow the client to add their own certificate to your solution. They can get that from wherever they want.

Alternatively, if the domain is reachable from the internet, you could automatically fetch a new certificate from Let's Encrypt

Josef
  • 5,933
  • 26
  • 34
1

It is not your duty. Customers who installs your application must acquire trusted SSL/TLS certificates from a CA provider they choose. It is ok if you ship a self-signed certificate for testing purposes, but for production it is up to customers. They own domains where the application is used and only customers can get trusted certificate for their domain. Suggest them to review popular trusted CAs (some are free, some are paid, I'm not going to advertise any) and get certificate for their domain.

If your application ships a web server application, you should provide instructions for clients on how they should configure the web server to use custom certificate. If you ship only application, you still should provide instructions on certificate binding for popular web servers (say, Apache, IIS, etc.).

Crypt32
  • 5,901
  • 12
  • 24