Installing an SSL certificate for HTTPS access

Overview

The Verba Recording System comes with a preconfigured HTTPS port for web access and HTTP access can be turned off.

In order to avoid HTTPS related security warnings when your end-users access the Verba web application you need to install an SSL certificate.

Generating or purchasing the SSL certificate for your solution is a customer responsibility. Verba can only assist with installation of the certificate.

Steps

Here are the steps to import your SSL certificate (the steps below assume that you have installed the product in the default folder):

Having .pfx or .p12 file instead of .crt and .key files? Scroll down for the conversion guide.

Step 1 - Copy the new .key and .crt files to the Verba Media Repository server.

Step 2 - Create a backup of C:\Program Files\Verba\tomcat\conf\server.xml

Step 3 - Open the server.xml file with an editor. The SSL configuration is around line 100 of the file and looks similar to the code examples below.

Step 4 - Depending on your VFC release version, edit the server.xml file as below:

server.xml for VFC versions 9.6.16 and earlier
<Connector
 SSLEnabled="true"
 port="443"
 protocol="org.apache.coyote.http11.Http11AprProtocol"
 clientAuth="false"
 scheme="https"
 secure="true"
 SSLCertificateFile="c:\Verba.crt"
 SSLCertificateKeyFile="c:\Verba.key"
 SSLPassword="verba123456"
 SSLCipherSuite="RC4-MD5:RC4-SHA:AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA"
 SSLProtocol="SSLv3+TLSv1"
 URIEncoding="UTF-8"
 maxHttpHeaderSize="16384"
 />

a) Change the SSLCertificateFile="c:\Verba.crt" to the new .crt file

b) Change the SSLCertificateKeyFile="c:\Verba.key" to the new .key file

c) Change SSLPassword="verba123456" to the private key's password.

d) Optionally, add an SSLCertificateChainFile setting and specify the intermediate certificate file.

server.xml for VFC versions 9.6.17 - 9.8.2
<Connector
 SSLEnabled="true"
 port="443"
 protocol="com.verba.util.tomcat.VerbaHttp11AprProtocol"
 clientAuth="false"
 scheme="https"
 secure="true"
 SSLCertificateFile="c:\Verba.crt"
 SSLCertificateKeyFile="c:\Verba.key"
 SSLPassword="Verba123456"
 SSLCipherSuite="RC4-MD5:RC4-SHA:AES128-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA:DHE-DSS-DES-CBC3-SHA"
 SSLProtocol="SSLv3+TLSv1"
 URIEncoding="UTF-8"
 maxHttpHeaderSize="16384"
 />

a) Change the SSLCertificateFile="c:\Verba.crt" to the new .crt file

b) Change the SSLCertificateKeyFile="c:\Verba.key" to the new .key file

c) Change SSLPassword="Verba123456" to the private key's 4389398225.

d) Optionally, add an SSLCertificateChainFile setting and specify the intermediate certificate file.

server.xml for VFC versions 9.8.3 and later
<Connector
    SSLEnabled="true"
    port="443"
    protocol="com.verba.util.tomcat.VerbaHttp11Nio2Protocol"
    scheme="https"
    secure="true"
    URIEncoding="UTF-8"
    maxHttpHeaderSize="32768"
    relaxedQueryChars="[]|{}^\`"<>"
>
    <SSLHostConfig
        ciphers="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
        honorCipherOrder="true"        
        protocols="TLSv1.1,+TLSv1.2,+TLSv1.3"
    >
        <Certificate
            certificateFile="c:\Verba.crt"
            certificateKeyFile="c:\Verba.key"
            certificateKeyPassword="Verba123456"
        />
    </SSLHostConfig>
</Connector>

a) Change the certificateFile="c:\Verba.crt" to the new .crt file

b) Change the certificateKeyFile="c:\Verba.key" to the new .key file

c) Change certificateKeyPassword="Verba123456" to the private key's 4389398225.

d) Optionally, add an certificateChainFile setting and specify the intermediate certificate file.

Step 5 - Restart Verba Web Application Service

Creating .key and .crt files from .p12 or .pfx file

Step 1 - Download the OpenSSL from here: https://indy.fulgan.com/SSL/openssl-1.0.2q-i386-win32.zip

Step 2 - Extract the downloaded .zip file and start the openssl.exe

Step 3 - Execute the following commands:

For .p12 files
pkcs12 -in yourP12File.p12 -nocerts -out privateKey.pem
pkcs12 -in yourP12File.p12 -clcerts -nokeys -out publicCert.pem
For .pfx files
pkcs12 -in yourPfxFile.pfx -nocerts -out privateKey.pem
pkcs12 -in yourPfxFile.pfx -out publicCert.pem
x509 -inform pem -in publicCert.pem -pubkey -out publicCert.pem -outform pem

When it asks for a password enter the password of the certificate

 Step 4 - Change the created privateKey.pem to .key and publicCert.pem to .crt


Encrypt the private key's password 

AVAILABLE IN 9.6.17 AND LATER 

In the webserver's configuration file the private key's password is stored in an encrypted form. During the software installation, the installer handles the password encryption. However, if the private key's password is changed without upgrading the system, the following process can be used to encrypt the password.

 Step 1 - Open a command prompt in the Verba Media Repository server and execute the following command

> "C:\Program Files\Verba\bin\pwenc.exe" -t=tomcatssl PRIVATE_KEY_PASSWORD

Step 2 - Copy the output result and insert it in the server.xml file as SSLPassword attribute value like above