Navigation :

Using a trusted TLS certificate

Installing a trusted TLS certificate in Web Radio Control

TLS certificates (or SSL certificates) are part of the communication between a web browser and a server, and they verify that the connection from the web browser to the server is reliable (i.e. the server is the one it claims to be) and that the communication to the server is encrypted. Web browsers only trust certificates that are obtained from trusted sources, so it is useful to obtain such a certificate to avoid connection problems and security warnings in browsers.

Using a trusted certificate makes remote operation smoother especially on club stations shared by multiple operators, because remote operators (i.e. users) do not need to install a separate certificate in their web browsers.

An alternative to trusted TLS certificates is the use of a so-called self-signed certificate, which is slightly more complicated for remote station operators/users, but still sufficient in terms of security.

The main difference is that a trusted TLS certificate is usually paid and must be obtained from a trusted service. A self-signed TLS certificate can be created directly in the Web Radio Control setup user interface, but each remote station operator/user must install the self-signed TLS certificate in their web browsers so that the browser does not display security warnings. In addition, when using Apple’s Safari browsers - both on computers and mobile devices - it is mandatory to install the self-signed certificate.

Instructions for using a self-signed TLS certificate:

Creating a self-signed TLS certificate (for remote station administrators)
Installing a self-signed TLS certificate in a web browser (for remote station operators/users)

Obtaining a trusted TLS certificate

There are several services that provide trusted TLS certificates for a fee. For example, ZeroSSL is a service that provides unlimited 3-month free certificates for a small annual fee. 12-month certificates are also available, but they are limited or must be paid for separately. No-IP service, which is mainly used to obtain dynamic DNS domain names, also offers similar free certificates.

In order to obtain a trusted certificate, the ownership of the domain name (e.g. club.ddns.net) must be proven somehow, and in practice it requires an email address (e.g. webmaster@club.ddns.net) to be redirected to some email address you own. For example, the No-IP service offers this feature.

Completely free, trusted TLS certificates are also provided by, for example, Let’s Encrypt, but it does not offer the above-mentioned possibility to verify domain ownership by email. Instead, the requirement is to keep the Web Radio Control HTTP server on the default ports 80 or 443, which are blocked in almost all consumer Internet connections. Another option offered by Let’s Encrypt to prove domain ownership is to have the appropriate DNS records in the domain information, but then it is often necessary to own a completely separate domain name (e.g. club.net) so that its DNS records can be managed in a suitable way. It is possible to use Let’s Encrypt certificates with Web Radio Control, but obtaining a certificate there is technically more demanding and is not discussed in more detail here.

Obtaining TLS certificates thus has its own challenges and at the moment the simplest, albeit paid, services for obtaining TLS certificates are ZeroSSL and No-IP. There are other similar services, although they are not covered here.

Packaging TLS certificate files for Web Radio Control

The installation of a trusted TLS certificate, obtained for example from ZeroSSL, in Web Radio Control is done as follows:

TLS certificates are usually provided in 2 or 3 files: a "key file" (with .key extension) and 1 or 2 certificate files (with .crt extension). They are all a kind of text in a special Base64 format, so they can be edited with text editors, such as Windows Notepad.

a) If there are only 2 files, it is enough to rename the file with the .crt extension as wrc.crt and the file with the .key extension as wrc.key.

Package these two files, wrc.crt ja wrc.key, in a ZIP file. The name of the package file does not matter.

b) If there are 3 files, the .crt files must be "combined", i.e. the contents must be copied one after the other (with a line break in between) so that the actual certificate (often named certificate.crt) comes first and then the second "intermediate certificate" or "bundle" (sometimes named ca_bundle.crt) comes after it. These two .crt files are thus copied one after the other to a file named wrc.crt with a text editor. It is important to copy the certificates in the correct order!

Rename the "key file" (with .key extension) to wrc.key.

Package these two files, wrc.crt ja wrc.key, in a ZIP file. The name of the package file does not matter.

Installing TLS certificate files packaged in a ZIP file in Web Radio Control

The ZIP file containing the certificate files can be installed in Web Radio Control’s user interface in the Settings > Backup/Restore section, in the Import new TLS certificate section.

Check the box This certificate was created outside Web Radio Control and it is trusted by browsers.
- This indicates that the certificate to be installed has been obtained from a source that web browsers already trust.
Click "Select certificate file (ZIP)…" and find the ZIP file you created
Click "Import" and the user interface will report whether the certificate installation was successful

After installing the certificate, restart the Web Radio Control software in the Settings > System section by clicking the Restart WRC server button.

After restarting, this new certificate is in use. You can verify this by checking that the web browser no longer displays security warnings when you open the Web Radio Control user interface in the browser.