The other day, I wrote about setting up stunnel for Adobe Connect. When I did the SSL setup for the client I was working with on that occasion, we also had to get the SSL certificate created. The Adobe Connect installation of the client is entirely internal and not used outside their organisation. The way they deal with SSL certificates in similar scenarios is not to buy certificates from an external certificate vendor such as Verisign or TrustCenter, instead they operate their own internal Certificate Authority.
How would one get an SSL certificate for Adobe Connect in such a setup?
I thought it’s probably worthwhile to briefly describe the process involved with getting this done:
- First, create a so-called Certificate Signing Request (CSR).
- The CSR would have to be handed over to the internal Certificate Authority (CA) with proof of identity, server ownership or whatever other requirements the organisation’s process prescribe.
- The CA would then issue a digital certificate ready for installation.
Sounds (and is actually) quite straight forward. Here’s how it looks like from a technical point of view.
Creating a CSR
There are plenty of options how you could do this. Adobe Connect just runs on Windows server environments and I’m not sure if you could create a CSR with built-in Windows tools such as IIS or similar, but I’ve chosen to go with the tool of my choice for such as task from the Linux/OS X world – OpenSS (you could actually also use keytool from Adobe Connect’s Tomcat’s JVM as an alternative).
The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.
OpenSSL is available in a variety of different packages for multiple operating systems. If you just want to “get it done” for the purpose of your Adobe Connect setup, the easiest way is to grab the binaries from Shining Light Productions. Make sure you grab the latest version (the “light” packages are well suited for our purpose) and the binaries for your server’s architecture (32-/64-bit); in some instances you might have to install the Visual C++ 2008 redistribution libraries.
After you’ve installed OpenSSL, you can use the openssl binary to create your Certificate Signing Request:
openssl req -config "c:\OpenSSL-Win64\bin\openssl.cfg" -new -newkey rsa:2048 -nodes -out yourcsrfile.csr -keyout yourprivatekey.key -subj "/C=NZ/ST=/L=MyCity/O=MyOrganisation/OU=MyDepartment/CN=MyServerCommonName"
Some remarks in regards to this command:
- The default installation of OpenSSL on Windows tries to look for a config file in a typical *nix location /usr/… In Windows, this obviously doesn’t work. Luckily there is a default configuration file, you just need to point openssl to actually use it: -config “c:\OpenSSL-Win64\bin\openssl.cfg”
- With -out yourcsrfile.csr -keyout yourprivatekey.key you actually specify the file names of the actual Certificate Signing Request as well as your Private Key.
- The part -subj “/C=NZ/ST=/L=MyCity/O=MyOrganisation/OU=MyDepartment/CN=MyServerName” defines the subject of the CSR. It’s a string comprising information about you and your server. Ask the manager of your internal CA about what exactly they want you to provide here. My example string is just a guideline – you can see the country is set to New Zealand, state is empty (as we don’t have states in NZ) and anything else has just some very obvious default values.
From here: send the created .csr file to your internal CA, keep the .key file with you.
If everything goes well, the CA will (after checking and validating your information) return a .cer file back to you. The timeframe might vary between organisations.
What to do with the certificate?
This is where it can get tricky if you’ve never dealt with Adobe Connect and SSL before, because certificates can come in different flavours. Adobe Connect wants you to provide your private key from the CSR as well as the certificate in so called PEM format. If you got the certificate in a different format, you have to convert it to PEM.
It’s quite easy to tell if you have a PEM certificate or not. Just open it in a text editor. If it begins with —–BEGIN and you can read them in a text editor (they use base64, which is readable in ASCII, not binary format), they are in PEM format. If it all looks crazily scrambled and, well, like binary code, then you have to convert them.
Openssl is your friend again:
openssl x509 -inform DER -outform PEM -in yourcertificate.cer -out yourcertificate.cer.pem
This will covert your certificate from DER into PEM format and should give you everything you need to get Adobe Connect up and running according to the instructions provided by Adobe.
Again, the two files you need are your private key and your certificate in PEM format: