0

We have an application that we installed on a Windows virtual machine on GCP.

The users are supposed to access this application by entering the real IP address of the server in their web browser.

Please assist with the following:

  1. How to install an SSL certificate so that the users can use HTTPS instead of HTTP.
  2. Should this certificate be installed on the Windows VM or the from GCP console.
  3. Should a host be purchased first so that users will use a name instead of IP address?
kenlukas
  • 2,886
  • 2
  • 14
  • 25
Beamco I.T.
  • 1
  • 1
  • Can you provide more information about what infrastructure you use? E.g. do you use the Google Load Balancing with https proxy? If so, you have to install the certificate there. If not, you have to install it on the machine. Regarding question 3: Yes, you should get a hostname, since certificates are usally issued by domain name, not IP. You CAN get a certificate for an IP but that can cause a lot of problems. Certificates are usually domain validated, e.g. if you get a certificate for example.com it's usually validated by sending an email to admin@example.com. – Broco Nov 18 '19 at 10:26
  • Thank you @Broco for you reply. Currently I'm no using any load balancing with https proxy, do you recommend that please? – Beamco I.T. Nov 18 '19 at 10:48
  • I'd only recommend it if you need it. The need for load balancing comes from the amount of users and traffic you have and how much redundancy you need/want. So to get this straight: You have a Windows VM with a public IP only? Then you need to set up the SSL certificate on the Windows Machine. What web server do you use? IIS? Apache? Need more information. – Broco Nov 18 '19 at 10:56
  • This my first time setting GCP and Windows machine on web and I really appreciate your help. Yes Windows VM with public ip from Google and yes we need to setup SSL so that people connect to the app using https, currently we have XAMPP installed on the sever and it's running Apache and MYSQL, around 80 users connecting randomly (maybe 20-30 at the same time) and they access a web interface that log them into the application. – Beamco I.T. Nov 18 '19 at 11:20
  • Ok, then I would suggest you get an FQDN from any provider (they are dirt cheap, like $2 a month) and set up a DNS entry for your public IP. Next you get an SSL Certificate from a vendor of your choice (there are also free ones) and then set up the certificate and configure Apache with a redirect for https: https://www.sslshopper.com/apache-redirect-http-to-https.html Though I'm not sure why you'd use Apache and MySQL on Windows, seems like a little too much overhead unless you're using Windows services. E.g. if you're just using PHP+MySQL, using a Linux server makes much more sense. – Broco Nov 18 '19 at 11:40
  • Thank you for you assistance, it's really helpful and informative. – Beamco I.T. Nov 18 '19 at 11:45

1 Answers1

0

I'd recommend considering what you are trying to achieve first, as it looks from the above that you may be fairly new to this. if this is a live system or has people's jobs relying on it, I recommend seeking the help of a consultant or suitable company to consider if what you are considering is suitably secure & resilient etc.

Anyway, to answer your specific questions (although not in the order you asked them):

  • Should a host be purchased first so that users will use a name instead of IP address?

Yes, Public certificates don't work on IPs. Unless this is an internal-only, non critical system I recommend you select and purchase a suitable domain name and create DNS record(s) resolving to your IP.

  • Should this certificate be installed on the Windows VM or the from GCP console.

The cert should be installed on the element(s) that encrypts SSL traffic. if this server is behind a load-balancer or reverse proxy, you may need to install it on there. if not, most likely the server (IIS).

  • How to install an SSL certificate so that the users can use HTTPS instead of HTTP.

You'll need to follow a specific process depending on what you are installing it on (e.g. IIS). If you've not done it before I recommend selecting who you are going to buy it from first as most vendors provide instructions on how to request and install the cert which includes steps relevant to their portal.

Steve
  • 121
  • 3