Configuring SSL Certificates for VisualSVN Server

Applies to: VisualSVN Server 5.1 and later

VisualSVN Server supports secure connection over the HTTPS protocol (Hypertext Transfer Protocol Secure). This protocol is a combination of the Hypertext Transfer Protocol with the SSL/TLS protocol to provide encryption and secure identification of the server.

The main idea of HTTPS is to create a secure channel over an insecure network. It ensures reasonable protection from eavesdroppers and man-in-the-middle attacks, provided that adequate cipher suites are used and that the server certificate is verified and trusted.

Introduction to SSL certificates

In order to work over the HTTPS protocol, VisualSVN Server should be equipped with an SSL certificate. A server certificate contains detailed information that is used to validate the identity of this server on the network.

An SSL certificate is automatically trusted by standard Subversion clients and web-browsers when it is signed by a trusted certificate authority. If a certificate is not trusted by the client, the connection will be encrypted, but the user will get a warning about the insecure connection.

When installed for the first time, VisualSVN Server generates a self-signed SSL certificate for the hostname of the server computer where VisualSVN Server is installed. It is recommended to replace the default self-signed certificate with a certificate signed by a trusted certificate authority (CA). The certificate can be signed by

  • Active Directory Certificate Services,
  • a third-party Certificate Authority such as DigiCert or GlobalSign.

Equipping VisualSVN Server with an SSL certificate

VisualSVN Server provides a wizard that helps you to equip the server with a signed SSL certificate. The following options are available:

When VisualSVN Server is installed in an Active Directory environment, you can obtain the certificate from the Active Directory Certificate Services in a few clicks. Other options include using a Certificate Signing Request to obtain a certificate from a third-party certificate authority or importing a certificate together with an associated private key.

You can also run VisualSVN Server with a self-signed certificate. For more information, read the section Running VisualSVN Server with a self-signed SSL certificate of this article.

Obtaining a certificate from the Active Directory

If your VisualSVN Server computer is a part of an Active Directory domain, the most easy and convenient approach is to obtain a new certificate from the Active Directory Certificate Services (AD CS).

Follow these steps to obtain a new certificate from the AD CS:

  1. Start the VisualSVN Server Manager console.
  2. Click Action | Properties.
  3. Click the Certificate tab and click the menu-tab Change Certificate.
  4. Click Obtain certificate from Active Directory.
  5. Select the Certification Authority in your domain that will issue a new certificate and click Next.
  6. Enter the Common Name and click Next.
  7. Enter the Distinguished Properties and click Next.
  8. Select which private key to use for the new certificate and сlick Create.

The certificate signed by your local AD CS will be installed in your VisualSVN Server.

Note
You need to have appropriate rights to obtain a new certificate from Active Directory. You may need to contact your system administrator for assistance if you do not have the permissions to obtain such certificates.

Signing an SSL certificate with a third-party certificate authority

In order to obtain and install a signed certificate from a trusted third-party certificate authority, follow these steps:

  1. Prepare a Certificate Signing Request (CSR) using the VisualSVN Server Manager console.
  2. Submit this request to a third-party Certificate Authority and obtain the signed certificate.
  3. Import the signed certificate to VisualSVN Server.

Step 1: Prepare Certificate Signing Request using the VisualSVN Server Manager

In order to prepare a Certificate Signing Request, follow these steps:

  1. Start the VisualSVN Server Manager console.
  2. Click Action | Properties.
  3. Click the Certificate tab and click the menu-tab Change Certificate.
  4. Click Prepare certificate request.
  5. Enter the Common Name and click Next.
  6. Enter the Distinguished Properties and click Next.
  7. Select which private key to use for the new certificate and сlick Create.
  8. Save the prepared request into a file.

It is very important to configure correct value for the Common name field. The Common name should exactly match the hostname that is used to access your VisualSVN Server. For example, the Common name should be server.example.com if clients access the server using the https://server.example.com/svn/MyRepository/ URL.

Step 2: Submit this request to a Certificate Authority and obtain signed certificate

To obtain a certificate from a third-party Certificate Authority, you are requested to complete an appropriate form on the authority's website. Usually, this is a paid service. Some additional paperwork may be required.

Step 3: Import the signed certificate to VisualSVN Server

In order to import the signed certificate, follow these steps:

  1. Start the VisualSVN Server Manager console.
  2. Click Action | Properties.
  3. Click the Certificate tab and click the menu-tab Change Certificate.
  4. Click Complete certificate request request.
  5. Specify the path to the file, which contains the signed certificate. Click Next.
  6. Click the Finish button and Apply the changes.

The signed certificate will be imported and installed into the VisualSVN Server.

Importing an SSL certificate with private key

If you already have a certificate with the corresponding private key, follow these steps to import this certificate:

  1. Start the VisualSVN Server Manager console.
  2. Click Action | Properties.
  3. Click the Certificate tab and click the menu-tab Change Certificate.
  4. Click Import certificate with private key.
  5. Click Browse and choose a certificate. Click Next.
  6. Click Finish and Apply.

Certificate with the private key will be installed in your VisualSVN Server.

Running VisualSVN Server with a self-signed SSL certificate

Self-signed certificate allows you to setup an encrypted connection to the server but it is not trusted by the Subversion clients and web browsers. If you are using self-signed certificate, the users will receive a warning message unless they manually accept the certificate based on its fingerprint. For example, the Subversion command-line client will display the following warning message:

Error validating server certificate for 'https://contoso.myserver.net:443':
- The certificate is not issued by a trusted authority. Use the
fingerprint to validate the certificate manually!
Certificate information:
- Hostname: contoso.myserver.net
- Valid: from Feb 12 09:09:16 2018 GMT until Feb 10 09:09:16 2028 GMT
- Issuer: contoso.myserver.net
- Fingerprint: A7:02:52:31:54:7E:51:B4:79:9E:2D:9C:04:7A:9B:F5:91:73:AF:CB
(R)eject, accept (t)emporarily or accept (p)ermanently?

Note that self-signed certificates are accepted on a per user basis, so you should instruct users to manually accept the certificate based on the fingerprint / thumbprint.

It is also possible to export a self-signed certificate from VisualSVN Server and save this certificate in the trusted certificates list on all client computers.

Follow these steps if you want to generate a new self-signed certificate with the VisualSVN Server Manager console:

  1. Start the VisualSVN Server Manager console.
  2. Click Action | Properties.
  3. Click the Certificate tab and click the menu-tab Change Certificate.
  4. Click Create self-signed certificate.
  5. Enter the Common name and click Next.
  6. Enter the Distinguished Properties and click Next.
  7. Select which private key to use for the new certificate and сlick Create.
  8. Click Finish and Apply.

See also

KB208: Understanding the private key for the SSL certificate
KB195: Understanding TLS/SSL compatibility levels in VisualSVN Server
KB143: Troubleshooting delays when accessing VisualSVN Server over HTTPS

Last Modified: