Copyright © 2016 LiveAction, Inc. All rights reserved. LiveAction, LiveNX, LiveUX, the LiveAction Logo and LiveAction Software are trademarks of LiveAction, Inc. Information subject to change without notice.
LiveAction, Inc. 3500 WEST BAYSHORE ROAD PALO ALTO, CA 94303
Install SSL Certificate
CONFIGURATION
LIVEACTION, INC.
1-1 | Install SSL Certificate for the Web UI Client
Summary
Product and Version LiveNX 6.0
Affected Devices All-In-One
Document Name Install SSL Certificate
Updated Suzette Bana (June 2017)
We generate and install self-signed certificates the first time LiveNX is run. Secure Web Login to LiveNX is enabled by default in LiveNX 5.3.0. This document will guide you on how to generate a Certificate Signing Request (CSR) for the LiveNX Web UI Client.
Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).
A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.
How to get started?
1. Generate a Certificate Signing Request (CSR) or Create a Self – Signed Certificate. 2. Submit CSR to a Certificate Authority (skip step Self-Signed Certificate). 3. Install SSL Certificate for the LiveNX Web UI Client.
If you have any questions about this guide, or need any assistance in general please contact LiveAction support: [email protected]
1-2 | Install SSL Certificate for the Web UI Client
Generate a CSR and Private key using OpenSSL command.
Step 1
Open a terminal. All the commands below can be executed as username “admin”, default password “changeme”.
Step 2
Execute command
“openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key”.
Fill in the form with your company information.
1-3 | Install SSL Certificate for the Web UI Client
Step 3
Copy the CSR and key. To copy the file from OVA, you can use an FTP client such as WinSCP or FileZilla. Login using default credentials. (admin/changeme)
Step 5
Submit CSR to a third-party Certificate Authority to get your certificate signed. Once certificate is ready, proceed to Install SSL Certificate for the LiveNX Web UI Client.
1-4 | Install SSL Certificate for the Web UI Client
Install SSL Certificate for LiveNX Web UI
LiveNX requires a .PEM format to successfully install SSL Certificate. The required files are the following:
1. Public Certificate 2. Private Key 3. CA Certificate (Intermediate and/or Root) (Optional for Self-Signed Certificate)
OpenSSL Commands to convert .crt to .PEM format:
openssl x509 -in star_liveaction_com.crt -out star_liveaction_com.pem -outform PEM
openssl x509 -in DigiCertCA.crt -out DigiCertCA.crt.pem -outform PEM
Step 1
1. Go to https://<AIO IP Address:8443>
2. Enter API Token, then click Login.
Set New API Token
If you don’t know the API Token, follow instruction below.
1. Click API Token Setup
2. Set New Token below then click Update
1-5 | Install SSL Certificate for the Web UI Client
If an API token already exists, Open the Terminal on the OVA to obtain the API token. type command: cat /opt/jidoteki/tinyadmin/etc/api.token and copy the output.
In this example, your API token is “YourNewToken”:
1-6 | Install SSL Certificate for the Web UI Client
Step 2
Click Settings > TLS Certificates.
1-7 | Install SSL Certificate for the Web UI Client
Verify SSL Certificate Installed in the Browser
1-8 | Install SSL Certificate for the Web UI Client
Install Certificate for LiveNX Backend Webserver To access the LiveNX backend WebServer, go to: https://LiveNXServerIP:8092
You need this info:
• Keystore file:/data/livenx-server/data/http.keystore
• Alias: webserver
• password: BmbdB3MyJujd5tGuoSfd
Note: Friendly Name of the certificate should be “webserver” otherwise you will get a java error.
Step 1
Export your key, certificate and ca-certificate into a PKCS12 bundle
openssl pkcs12 -export -name webserver -in star_liveaction_com.crt -inkey
star_liveaction_com.key -CAfile DigiCertCA.crt -out keystore2.p12
Note: Use chain option if you have chain of intermediates and root certificate.
openssl pkcs12 -export -name webserver -in star_liveaction_com.crt -inkey
star_liveaction_com.key - chain -CAfile DigiCertCA.crt -out keystore2.p12
Step 2
Import the PKCS12 file into a new java keystore. keytool -importkeystore -srckeystore keystore2.p12 -destkeystore
http.keystore -srcstoretype pkcs12 -deststoretype JKS -alias webserver -
deststorepass BmbdB3MyJujd5tGuoSfd -destkeypass BmbdB3MyJujd5tGuoSfd
Note: To list the content of the keystore file use this command: keytool -list -v -keystore http.keystore
Step 3
Copy http.keystore to the data directory: cp http.keystore /data/livenx-server/data/
Note: To overwrite the http.keystore, you need to use root credentials.
1-9 | Install SSL Certificate for the Web UI Client
Create a backup and reboot the OVA. Execute the following commands:
1. Type command: backup
2. Type[y], to perform a backup now.
3. Reboot the machine
4. Type command: sudo reboot now
Validate SSL Certificate installed in the browser:
Make sure that all of the parent cert path is installed, otherwise, it won't show up as a green lock in Google Chrome. To check the cert path, do the following:
1-10 | Install SSL Certificate for the Web UI Client
Troubleshooting SSL Certificate Errors
There are several problems that can occur when ordering, installing and using a certificate. Here are some common SSL certificate errors and how to fix them.
Why does the website say the SSL certificate is untrusted?
If a browser says that a certificate is untrusted it means that it isn't signed by a trusted root certificate or that it can't link the certificate to a trusted root certificate. If your certificate is signed by a major certificate authority then it just means one of the chain certificates in between yours and the root is not installed on the web server. You can view the certificate's chain or certification path by viewing the certificate details in Internet Explorer and clicking on the Certification Path tab.
1-11 | Install SSL Certificate for the Web UI Client
Why does the secure part of the website say the name on the security certificate is invalid or does not match the name of the site?
This error indicates that the common name (domain name) in the SSL certificate doesn't match the address that is in the address bar of the browser. For example, if the certificate is for www.livenx.com and you access the site without the "www" (https://livenx.com), you will get this SSL certificate name error.
Check if the Certificate Match
Check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR). When you are dealing with lots of different certificates it can be easy to lose track of which certificate goes with which private key or which CSR was used to generate which certificate.
openssl x509 -noout -modulus –in star_liveaction_com.pem | openssl md5
openssl rsa -noout -modulus -in star_liveaction_com.pem key | openssl md5
openssl req -noout -modulus -in star_liveaction_com.csr | openssl md5
Copyright © 2016 LiveAction, Inc. All rights reserved. LiveAction, LiveNX, LiveUX, the LiveAction Logo and LiveAction Software are trademarks of LiveAction, Inc. Information subject to change without notice.