Installing an SSL certificate for HTTPS access
Overview
The Verba Recording System comes with a preconfigured HTTPS port for web access and HTTP access can be turned off.
In order to avoid HTTPS related security warnings when your end-users access the Verba web application you need to install an SSL certificate.
Generating or purchasing the SSL certificate for your solution is a customer responsibility. Verba can only assist with installation of the certificate.
Steps
Here are the steps to import your SSL certificate (the steps below assume that you have installed the product in the default folder):
Having .pfx or .p12 file instead of .crt and .key files? Scroll down for the conversion guide.
Step 1 - Copy the new .key and .crt files to the Verba Media Repository server.
Step 2 - Create a backup of C:\Program Files\Verba\tomcat\conf\server.xml
Step 3 - Open the server.xml file with an editor. The SSL configuration is around line 100 of the file and looks similar to the code examples below.
Step 4 - Depending on your VFC release version, edit the server.xml file as below:
<Connector SSLEnabled="true" port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" clientAuth="false" scheme="https" secure="true" SSLCertificateFile="c:\Verba.crt" SSLCertificateKeyFile="c:\Verba.key" SSLPassword="verba123456" SSLCipherSuite="RC4-MD5:RC4-SHA:AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA" SSLProtocol="SSLv3+TLSv1" URIEncoding="UTF-8" maxHttpHeaderSize="16384" />
a) Change the SSLCertificateFile="c:\Verba.crt" to the new .crt file
b) Change the SSLCertificateKeyFile="c:\Verba.key" to the new .key file
c) Change SSLPassword="verba123456" to the private key's password.
d) Optionally, add an SSLCertificateChainFile setting and specify the intermediate certificate file.
<Connector SSLEnabled="true" port="443" protocol="com.verba.util.tomcat.VerbaHttp11AprProtocol" clientAuth="false" scheme="https" secure="true" SSLCertificateFile="c:\Verba.crt" SSLCertificateKeyFile="c:\Verba.key" SSLPassword="Verba123456" SSLCipherSuite="RC4-MD5:RC4-SHA:AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA" SSLProtocol="SSLv3+TLSv1" URIEncoding="UTF-8" maxHttpHeaderSize="16384" />
a) Change the SSLCertificateFile="c:\Verba.crt" to the new .crt file
b) Change the SSLCertificateKeyFile="c:\Verba.key" to the new .key file
c) Change SSLPassword="Verba123456" to the private key's encrypted password.
d) Optionally, add an SSLCertificateChainFile setting and specify the intermediate certificate file.
<Connector SSLEnabled="true" port="443" protocol="com.verba.util.tomcat.VerbaHttp11Nio2Protocol" scheme="https" secure="true" URIEncoding="UTF-8" maxHttpHeaderSize="32768" relaxedQueryChars="[]|{}^\`"<>" > <SSLHostConfig ciphers="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" honorCipherOrder="true" protocols="TLSv1.1,+TLSv1.2,+TLSv1.3" > <Certificate certificateFile="c:\Verba.crt" certificateKeyFile="c:\Verba.key" certificateKeyPassword="Verba123456" /> </SSLHostConfig> </Connector>
a) Change the certificateFile="c:\Verba.crt" to the new .crt file
b) Change the certificateKeyFile="c:\Verba.key" to the new .key file
c) Change certificateKeyPassword="Verba123456" to the private key's encrypted password.
d) Optionally, add an certificateChainFile setting and specify the intermediate certificate file.
Step 5 - Restart Verba Web Application Service
Creating .key and .crt files from .p12 or .pfx file
Step 1 - Download the OpenSSL from here: https://indy.fulgan.com/SSL/openssl-1.0.2q-i386-win32.zip
Step 2 - Extract the downloaded .zip file and start the openssl.exe
Step 3 - Execute the following commands:
pkcs12 -in yourP12File.p12 -nocerts -out privateKey.pem pkcs12 -in yourP12File.p12 -clcerts -nokeys -out publicCert.pem
pkcs12 -in yourPfxFile.pfx -nocerts -out privateKey.pem pkcs12 -in yourPfxFile.pfx -out publicCert.pem x509 -inform pem -in publicCert.pem -pubkey -out publicCert.pem -outform pem
When it asks for a password enter the password of the certificate
Step 4 - Change the created privateKey.pem to .key and publicCert.pem to .crt
Encrypt the private key's password
AVAILABLE IN 9.6.17 AND LATER
In the webserver's configuration file the private key's password is stored in an encrypted form. During the software installation, the installer handles the password encryption. However, if the private key's password is changed without upgrading the system, the following process can be used to encrypt the password.
Step 1 - Open a command prompt in the Verba Media Repository server and execute the following command
> "C:\Program Files\Verba\bin\pwenc.exe" -t=tomcatssl PRIVATE_KEY_PASSWORD
Step 2 - Copy the output result and insert it in the server.xml file as SSLPassword attribute value like above