Copyright © 2016 LiveAction, Inc. All rights reserved. LiveAction, LiveNX, LiveUX, the LiveAction Logo and LiveAction Software are trademarks of LiveAction, Inc. Information subject to change without notice.

LiveAction, Inc. 3500 WEST BAYSHORE ROAD PALO ALTO, CA 94303

Install SSL Certificate

CONFIGURATION

LIVEACTION, INC.

1-1 | Install SSL Certificate for the Web UI Client

Summary

Product and Version LiveNX 6.0

Affected Devices All-In-One

Document Name Install SSL Certificate

Updated Suzette Bana (June 2017)

We generate and install self-signed certificates the first time LiveNX is run. Secure Web Login to LiveNX is enabled by default in LiveNX 5.3.0. This document will guide you on how to generate a Certificate Signing Request (CSR) for the LiveNX Web UI Client.

Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).

A certificate authority will use a CSR to create your SSL certificate, but it does not need your private key. You need to keep your private key secret. The certificate created with a particular CSR will only work with the private key that was generated with it. So if you lose the private key, the certificate will no longer work.

How to get started?

1. Generate a Certificate Signing Request (CSR) or Create a Self – Signed Certificate. 2. Submit CSR to a Certificate Authority (skip step Self-Signed Certificate). 3. Install SSL Certificate for the LiveNX Web UI Client.

If you have any questions about this guide, or need any assistance in general please contact LiveAction support: support@liveaction.com

1-2 | Install SSL Certificate for the Web UI Client

Generate a CSR and Private key using OpenSSL command.

Step 1

Open a terminal. All the commands below can be executed as username “admin”, default password “changeme”.

Step 2

Execute command

“openssl req -new -newkey rsa:2048 -nodes -out servername.csr -keyout servername.key”.

Fill in the form with your company information.

1-3 | Install SSL Certificate for the Web UI Client

Step 3

Copy the CSR and key. To copy the file from OVA, you can use an FTP client such as WinSCP or FileZilla. Login using default credentials. (admin/changeme)

Step 5

Submit CSR to a third-party Certificate Authority to get your certificate signed. Once certificate is ready, proceed to Install SSL Certificate for the LiveNX Web UI Client.

1-4 | Install SSL Certificate for the Web UI Client

Install SSL Certificate for LiveNX Web UI

LiveNX requires a .PEM format to successfully install SSL Certificate. The required files are the following:

1. Public Certificate 2. Private Key 3. CA Certificate (Intermediate and/or Root) (Optional for Self-Signed Certificate)

OpenSSL Commands to convert .crt to .PEM format:

openssl x509 -in star_liveaction_com.crt -out star_liveaction_com.pem -outform PEM

openssl x509 -in DigiCertCA.crt -out DigiCertCA.crt.pem -outform PEM

Step 1

1. Go to https://<AIO IP Address:8443>

2. Enter API Token, then click Login.

Set New API Token

If you don’t know the API Token, follow instruction below.

1. Click API Token Setup

2. Set New Token below then click Update

1-5 | Install SSL Certificate for the Web UI Client

If an API token already exists, Open the Terminal on the OVA to obtain the API token. type command: cat /opt/jidoteki/tinyadmin/etc/api.token and copy the output.

In this example, your API token is “YourNewToken”:

1-6 | Install SSL Certificate for the Web UI Client

Step 2

Click Settings > TLS Certificates.

1-7 | Install SSL Certificate for the Web UI Client

Verify SSL Certificate Installed in the Browser

1-8 | Install SSL Certificate for the Web UI Client

Install Certificate for LiveNX Backend Webserver To access the LiveNX backend WebServer, go to: https://LiveNXServerIP:8092

You need this info:

• Keystore file:/data/livenx-server/data/http.keystore

• Alias: webserver

• password: BmbdB3MyJujd5tGuoSfd

Note: Friendly Name of the certificate should be “webserver” otherwise you will get a java error.

Step 1

Export your key, certificate and ca-certificate into a PKCS12 bundle

openssl pkcs12 -export -name webserver -in star_liveaction_com.crt -inkey

star_liveaction_com.key -CAfile DigiCertCA.crt -out keystore2.p12

Note: Use chain option if you have chain of intermediates and root certificate.

openssl pkcs12 -export -name webserver -in star_liveaction_com.crt -inkey

star_liveaction_com.key - chain -CAfile DigiCertCA.crt -out keystore2.p12

Step 2

Import the PKCS12 file into a new java keystore. keytool -importkeystore -srckeystore keystore2.p12 -destkeystore

http.keystore -srcstoretype pkcs12 -deststoretype JKS -alias webserver -

deststorepass BmbdB3MyJujd5tGuoSfd -destkeypass BmbdB3MyJujd5tGuoSfd

Note: To list the content of the keystore file use this command: keytool -list -v -keystore http.keystore

Step 3

Copy http.keystore to the data directory: cp http.keystore /data/livenx-server/data/

Note: To overwrite the http.keystore, you need to use root credentials.

1-9 | Install SSL Certificate for the Web UI Client

Create a backup and reboot the OVA. Execute the following commands:

1. Type command: backup

2. Type[y], to perform a backup now.

3. Reboot the machine

4. Type command: sudo reboot now

Validate SSL Certificate installed in the browser:

Make sure that all of the parent cert path is installed, otherwise, it won't show up as a green lock in Google Chrome. To check the cert path, do the following:

1-10 | Install SSL Certificate for the Web UI Client

Troubleshooting SSL Certificate Errors

There are several problems that can occur when ordering, installing and using a certificate. Here are some common SSL certificate errors and how to fix them.

Why does the website say the SSL certificate is untrusted?

If a browser says that a certificate is untrusted it means that it isn't signed by a trusted root certificate or that it can't link the certificate to a trusted root certificate. If your certificate is signed by a major certificate authority then it just means one of the chain certificates in between yours and the root is not installed on the web server. You can view the certificate's chain or certification path by viewing the certificate details in Internet Explorer and clicking on the Certification Path tab.

1-11 | Install SSL Certificate for the Web UI Client

Why does the secure part of the website say the name on the security certificate is invalid or does not match the name of the site?

This error indicates that the common name (domain name) in the SSL certificate doesn't match the address that is in the address bar of the browser. For example, if the certificate is for www.livenx.com and you access the site without the "www" (https://livenx.com), you will get this SSL certificate name error.

Check if the Certificate Match

Check whether a private key matches a certificate or whether a certificate matches a certificate signing request (CSR). When you are dealing with lots of different certificates it can be easy to lose track of which certificate goes with which private key or which CSR was used to generate which certificate.

openssl x509 -noout -modulus –in star_liveaction_com.pem | openssl md5

openssl rsa -noout -modulus -in star_liveaction_com.pem key | openssl md5

openssl req -noout -modulus -in star_liveaction_com.csr | openssl md5

Copyright © 2016 LiveAction, Inc. All rights reserved. LiveAction, LiveNX, LiveUX, the LiveAction Logo and LiveAction Software are trademarks of LiveAction, Inc. Information subject to change without notice.