Feb 09 2010 
Support Center » Knowledgebase » Web browsers display a security certificate error when accessing the Enterprise TV Web Admin
 Web browsers display a security certificate error when accessing the Enterprise TV Web Admin - SnapStream Knowledgebase
Solution

DESCRIPTION:

When using the HTTPS version of the web admin, users may see a Security Certificate Error warning before login. This is a side effect of the implementation of SSL security in the web admin, because web browsers using SSL will look for a security certificate which includes information about your network.

Follow these instructions to create a valid security certificate for use with the Enterprise TV Web Admin. Creating a certificate will prevent the appearance of security certificate errors when using the Web Admin.

Note: These instructions have placeholder values, such as YOURMACHINENAMEHERE, that you will need to replace with correct information. Contact your network administrator or SnapStream Support if you unsure of what values to use.


ARTICLE:



1. Install OpenSSL. Open a web browser and navigate to: http://www.slproweb.com/products/Win32OpenSSL.html This site provides applications for open-source implementation of SSL encryption. Download the latest version of Win32 OpenSSL Light. (0.9.8 as of 2/08). Install it to the directory C:\OpenSSL.



2. Generate a Certificate Request. This step will create a Certificate Signing Request (CSR), which will be used to request a valid security certificate.



  • Go to Start=>Run and enter "cmd" to open a command-line prompt. Type
    cd c:\openssl\bin
    and hit Enter.


  • Enter the following command:
    openssl genrsa -out YOURMACHINENAMEHERE.key 1024
    and hit Enter. This will generate a private key, which will be used to create a certificate request.


  • Enter the following command:
    openssl req -new -key YOURMACHINENAMEHERE.key -out YOURMACHINENAMEHERE.csr
    and hit Enter.


  • You will then receive a series of prompts for information that will be used to generate the CSR. Fill in the values as they are correct for your organization. A sample with notes is provided below. User-provided information is in italics.

    Country Name (2 letter code) [AU]: US

    State or Province Name (full name) [Some-State]:TX

    Locality Name (eg, city) []:Houston

    Organization Name (eg, company) [Internet Widgits Pty Ltd]:YOUR COMPANY NAME

    Organizational Unit Name (eg, section) []:

    Common Name (eg, YOUR name) []:YOUR-MACHINE-NAME (Note: This is the name that will be used when connected to your SnapStream Enterprise TV Server’s Web Admin. You can choose a fully qualified name (computername.yourcompany.com) or an internal-only name (computername) depending on your needs. Users who plan to allow connections to the Web Admin from outside their internal network (i.e. over the Internet) should use a fully qualified name.)

    Email Address []:administrator-email@yourdomain.com

    Please enter the following 'extra' attributes to be sent with your certificate request
    A challenge password []:     (Note: Do not lose this password)

    An optional company name []: YOUR COMPANY NAME


  • After this process is complete, a file called YOURMACHINENAMEHERE.csr will appear in the directory C:\OpenSSL\bin.



3. Request a certificate. If your organization has a network administrator, you may need or want to ask them for help with this. Inform your admin that you need an SSL certificate for your Enterprise TV's Web Server and that you have created a CSR file. Provide them with the file YOURMACHINENAMEHERE.csr generated above.

If you will be purchasing a certificate yourself, you can choose from a number of vendors.

As an example, SnapStream has tested with a certificate from GoDaddy.com (Approximatly $20 yearly). Their support is for most newer browsers (IE 6 & 7 on XP SP2 and above, FireFox 1.5 and 2). If you will be using with older computers or older browsers, you should ensure that the certificate will work with them.

Depending on the vendor you choose, you will be asked for your "Certificate Request" which will be the full text from the YOURMACHINENAMEHERE.csr file you made above. If you chose a fully qualified domain name, the registrar will check your "whois" record to ensure you can request the certificate. If you chose an internal only name, the registrar will probably ask to confirm that the certificate will only be for use internally before issuing it. The process may take a day or two.



4. Create a certificate file. This step will use the security certificate to generate a certificate file that can be used be Enterprise TV.



  • After you have your certificate, download it to your Enterprise TV Server in the c:\openssl\bin directory.


  • Go to Start=>Run and type “cmd” to open a command-line prompt. Type
    cd\ c:\openssl\bin
    and hit Enter.


  • Enter the following command:
    C:\OpenSSL\bin>openssl pkcs12 -export -out YOURMACHINENAMEHERE.pfx -in YOURMACHINENAMEHERE.crt -inkey YOURMACHINENAMEHERE.key -name "YOURMACHINENAMEHERE"


  • You see the following prompts:
    Enter Export Password: [leave this blank]
    Verifying - Enter Export Password: [leave this blank]


  • A file called YOURMACHINENAMEHERE.pfx will now appear in C:\OpenSSL\bin.



5.Install the certificate file. This step will allow the Enterprise TV Web Admin to establish a certified SSL connection.



  • Shut down all Enterprise TV services.


  • In Windows Explorer, navigate to
    C:\Documents and Settings\All Users\Application Data\SnapStream\Beyond TV


  • Rename cert.pfx to cert.pfx.old


  • Copy
    C:\OpenSSL\bin\YOURMACHINENAMEHERE.pfx
    to
    C:\Documents and Settings\All Users\Application Data\SnapStream\Beyond TV


  • Rename YOURMACHINENAMEHERE.pfx to cert.pfx


  • Start Enterprise TV.




6. Finished. Open a web browser on a different machine and access
https://YOURMACHINENAMEHERE:8129 You should see a "lock” icon in your browser. You should not see any error messages.



7. Notes.



  • If your certificate expires, your users will start seeing errors that they aren't used to. Make sure to add a reminder to renew your certificate before it expires (after whatever period you chose when you set it up).


  • Back up YOURMACHINENAMEHERE.pfx to somewhere very safe.


  • Back up C:\OpenSSL\bin\YOURMACHINENAMEHERE.* to an external location. For security reasons, these files should then be removed the the Enterprise TV Server. Only the cert.pfx file in the Application Data folder should be left on the server.


Also, sometimes you will have to enforce FIPS Certified Cryptography in order to access the Web Admin. Usually this applies to government agencies, they require adhering to a strict set of guidelines, especially when it comes to security. This provides the ability for you to enforce that only cryptographic algorithms that have been FIPS 140-1 certified can be used.
We strongly advise for you to contact your System Administrator before attempting to make this change

On Windows XP and higher this switch is settable via Windows security settings or the registry. To enable the setting in the Windows Security settings, you should set the "System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing" security option to enabled.



In the registry, you can toggle this switch on by setting the DWORD FIPSAlgorithmPolicy under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa to be equal to 1.

More information about FIPS Certified Cryptography can be found here.

Article Details
Article ID: 1504
Created On: Feb 18 2008
 Back
Untitled Document
 Login [Lost Password] 
Email:
Password:
Remember Me:
 
 Article Options
 Add Comment
 Print Article
 PDF Version
 Email Article
 Add to Favorites
 Search