Certificate types

Certificates are installed in order to obtain secure communication and so that web browsers will not report that the connection between VAKA Admin and the administration computer is insecure.

Certificates are also needed for communication between system components, such as between B60 devices and/or reservation and information boards.

VAKA supports three types of certificates:

VAKA-generated certificate

In this case, B60 generates a local root certificate + web server certificate and distributes these in the system without any intervention required by the administrator.

A VAKA-generated certificate can be used at no cost.

VAKA-generated root certificates must be installed in the web browser (or system) before it is possible to set up a secure connection.

The advantage of this type of certificate is that a secure connection to the IP address for B60 can be established, as the locally issued certificate is valid for the LAN IP, WAN IP and host name of B60.

Remember: As everyone who connects to the system must install certificates in the web browser, this solution is impractical for systems that involve reservations over the internet. However, users can perform reservations via http.

Let's Encrypt

Let’s Encrypt is the most convenient option for administrators and users/clients who surf to B60, including reservations made over the internet.

Let’s Encrypt is a free service that offers devices the opportunity to request and renew certificates automatically.

The services requires the connection point (B60) to be connected to the internet, and port 80 (HTTP) and port 443 (HTTPS) to be open to the connection point so that this is able to accept enquiries from the Let’s Encrypt server. This mechanism is used by Let’s Encrypt to ensure that whoever is requesting a certificate really is the “owner” of the host name.

In order for B60 to be able to contact the Let’s Encrypt server, B60 must be able to “look up” web addresses. Do not therefore forget to set DNS server details in Domain Settings -> Domain Controller -> Networks.

At bottom of page... under DNS

A domain/sub-domain (not IP address) is also required that points to the Ipv4 address for B60.

When Let’s Encrypt is used, information and reservation panels are configured to connect to “Public Hostname” (found in the configuration of the B60 that is the connection point for the system).

Any router between B60 and the internet must support NAT traversal.

Customer-specific certificate

A customer-specific certificate is an appropriate solution for organisations that demand their own controls. Management can then be done centrally. This solution does not require an internet connection.

For uploading, two files are required – a web server certificate and associated private key (two files, both in PEM format), e.g. webserver.pem and private_key_webserver.pem.

If a certificate provider external to the organisation is used, a customer-specific certificate will have an annual cost of approx. SEK 2,500.

Updated 16/01/2023