Attention: Here be dragons

This is the latest (unstable) version of this documentation, which may document features not available in or compatible with released stable versions of Godot.

Checking the stable version of the documentation...

TLS/SSL certificates

Introduction

Il est souvent préférable d’utiliser des connections TLS dans les communications (aussi connu en tant que SSL), pour éviter les attaques de "l'homme du milieu" ("man in the middle"). Godot a un adaptateur de connexion, StreamPeerTLS, qui peut prendre une connexion ordinaire et renforcer sa sécurité. La classe HTTPClient et HTTPRequest supporte aussi l'HTTPS à l’aide du même adaptateur.

Godot essaiera d'utiliser l'ensemble de certificats TLS fourni par le système d'exploitation, mais comprend également l'ensemble de certificats TLS de Mozilla comme repli.

You can alternatively force your own certificate bundle in the Project Settings:

Setting the TLS certificate bundle override project setting

Setting the TLS certificate bundle override project setting

When set, this file overrides the operating system provided bundle by default. This file should contain any number of public certificates in PEM format.

Il y a deux manières d’obtenir des certificats :

Obtain a certificate from a certificate authority

The main approach to getting a certificate is to use a certificate authority (CA) such as Let's Encrypt. This is a more cumbersome process than a self-signed certificate, but it's more "official" and ensures your identity is clearly represented. The resulting certificate is also trusted by applications such as web browsers, unlike a self-signed certificate which requires additional configuration on the client side before it's considered trusted.

These certificates do not require any configuration on the client to work, since Godot already bundles the Mozilla certificate bundle in the editor and exported projects.

Generate a self-signed certificate

For most use cases, it's recommended to go through certificate authority as the process is free with certificate authorities such as Let's Encrypt. However, if using a certificate authority is not an option, then you can generate a self-signed certificate and tell the client to consider your self-signed certificate as trusted.

To create a self-signed certificate, generate a private and public key pair and add the public key (in PEM format) to the CRT file specified in the Project Settings.

Avertissement

The private key should only go to your server. The client must not have access to it: otherwise, the security of the certificate will be compromised.

Avertissement

When specifying a self-signed certificate as TLS bundle in the project settings, normal domain name validation is enforced via the certificate CN and alternative names. See TLSOptions to customize domain name validation.

For development purposes Godot can generate self-signed certificates via Crypto.generate_self_signed_certificate.

Alternatively, OpenSSL has some documentation about generating keys and certificates.