#1 2008-09-22 13:33:31

**_mondrillo_**

Connect Pro and SSL

Hi, I'm implementing SSL a Connect Pro install in the same Server with incrusted database. We have a SSL certificated for all *.FQDN.

Have to be a FQDN for the HTTP and RTMP, even there are the same host?
Have to be  a SSL Certificated for 2 services, even there are the same host?

Thank's and regards.

**_michael_**

Re: Connect Pro and SSL

The answer is yes to both.  The HTTP(s) and RTMP(s) servers both require an IP/FQDN, and make sure you configure your RTMP sequencing correctly to ensure successful connections.  Use a tool such as Wireshark or a port-blocker to test how Connect fails over to available ports/protocols.

**_mondrillo_**

Re: Connect Pro and SSL

wilcard certfificates are valid? In the documentation say abaout PEM certificates.

**_michael_**

Re: Connect Pro and SSL

We use a wildcard cert for our deployments.  We do offload SSL to other hardware though.

**_mondrillo_**

Re: Connect Pro and SSL

I've trouble to understand wich cert is need it, by connect. And the doc are so confused. Do not mach manual and Adaptor.xml file in the breeze dir.

I Have the files by globalsign:
            ca.crt
            root.crt
            server.crt
            server.csr
            server.key
            server.key_cifer
            server.pem

In de Adaptor.xml I've put as say in the Chapter 4. of the Manual of 7Pro.
<Edge name="applicationserver">
<SSLServerCtx>
<SSLCertificateFile>c:\breeze\server.pem</SSLCertificateFile>
<SSLCertificateKeyFile type="PEM">c:\breeze\server.key</SSLCertificateKeyFile>
<SSLPassPhrase></SSLPassPhrase>
<SSLCipherSuite>ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH</SSLCipherSuite>
<SSLSessionTimeout>5</SSLSessionTimeout>
</SSLServerCtx>
</Edge>

And add in the HostPort directive

<HostPort name="applicationserver" ctl_channel=":19351">xxx.xxx.xxx.xxx:-443</HostPort>

The SSCertificateFile is the certificate file to send to client and has to begin something as -----BEGIN CERTIFICATE-----

And the SSLCertificateKeyFile is in format PEM and has to begin something as -----BEGIN RSA PRIVATE KEY-----

I've read that have to put 2key's in the some file.

Any help would be apreciated. Thanks and regards

**_spie_34_**

Re: Connect Pro and SSL

SOLUTION: You will need OpenSSL for this. You can download it from www.openssl.org .

1. After you have installed OpenSSL, doubleclick openssl.exe to enter the command prompt of OpenSSL
2. run genrsa

**_mondrillo_**

Re: Connect Pro and SSL

Try the steps you comment, have told me that I could not have Adobe Connect within GlobalSing as a Certificate Authority. Does anyone know where you can verify this fact?

**_spie_34_**

Re: Connect Pro and SSL

Who told you that Global Sign wouldn't work? If they don't work google for another CA and use that one. Use verisign then.

**_Breakology_**

Re: Connect Pro and SSL

I read through some of the posts about needing two IP's and two certs to enable SSL, its not necessary.
If you are using the application and meeting server on the same host, you only need the one cert. Take the server.crt file and copy your private key into it above the certificate, then rename that file to sever.pem. Place that into you root directory (/breeze) then modify the 3 .xml files in accordance with the adobe ssl guide.  The only change I made that isn't necessary, is that I made a second copy of the serve.pem file and placed it in a separate location for the meeting server.
One note here, self signed certs will not work.

**_RaRa77_**

Re: Connect Pro and SSL

I was following these instructions and ran into an Intermediate certificate expiration issue.  I talked to Adobe and they sent me this solution, in case anybody else runs into this problem:

SOLUTION:
Add the intermediate certificate provided by your certificate authority provider to the SSL certificate pem files specified in the C:\breeze\comserv\win32\conf\_defaultRoot_\adaptor.xml settings.
 
When pasting these two certificates within the same pem file the order of these certificates does matter.  The signed server certificate has to be pasted first and then the intermediate certificate should be pasted below the signed server certificate.  Be careful when pasting these certificates into the file as extra spaces or dashes can cause problems with the certificate file. Once you make the changes restart Flash Communication services and the Breeze Application service.
Below is an example of what the pem file should look like
(The lines with the % sign below are comment lines for your clarification and do not need to be included to your file.):
%CA Server Certificate:
-----BEGIN CERTIFICATE-----
MIIEATCCAumgAwIBAgICAPQwDQYJKoZIhvcNAQEFBQAwgaMxJjAkBgNVBAMTHU1h
Y3JvbWVkaWEgQnJlZXplIEVuZ2luZWVyaW5nMQswCQYDVQQGEwJVUzETMBEGA1UE
CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEXMBUGA1UEChMO
bWFjcm9tZWRpYS5jb20xJjAkBgkqhkiG9w0BCQEWF2N0ZW5uYW50QG1hY3JvbWVk
aWEuY29tMB4XDTA2MDYxMTExMjQwMVoXDTA3MDYxMTExMjQwMVowbTELMAkGA1UE
BhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFzAVBgNVBAoTDm1hY3JvbWVkaWEu
Y29tMRMwEQYDVQQLEwpCcmVlemUgRW5nMRswGQYDVQQDExJkYXYubWFjcm9tZWRp
YS5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAzoO/SJk/uT2cZo/wJozVeMF/
S+KoWE9zvKSEYxOaFlwNrYTwyaLfjERi7kePe4mKzy/ZwsRJ4o1k5+5SfbJJXwID
AQABo4IBOjCCATYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUPRgci9DRZBtDEV1royCt
Y8L7fxEwgdgGA1UdIwSB0DCBzYAU8y+CLsO1wHiYTnwFeowQao7R/TChgamkgaYw
gaMxJjAkBgNVBAMTHU1hY3JvbWVkaWEgQnJlZXplIEVuZ2luZWVyaW5nMQswCQYD
VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5j
aXNjbzEXMBUGA1UEChMObWFjcm9tZWRpYS5jb20xJjAkBgkqhkiG9w0BCQEWF2N0
ZW5uYW50QG1hY3JvbWVkaWEuY29tggkA+npI6SAhxWUwLwYJYIZIAYb4QgEEBCIW
IGh0dHA6Ly90ZXN0LmVuYW5nLmNvbS9jYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUA
A4IBAQCjjCTzurkbz2OtXWLPZ3Q8G1pqDfsfZ9MbtPw2peGSsmGnwKhlFlIwQz5N
sbdckkYb8y0Dmg2DJ5sIG8NG8MO65ykZnlCAXEjmzRE8RS6EkOMz7HG6zA5IqwbK
Nd8ZF9H5/SRihAglIdE35pTmCEJDYVQzHE7t7frItOk9SyPwLrAFoEJfLRs42H0s
ez7nbPwYQZ7/R8T6bOaf7+1bHJXN07hQAem4hIiEiep5KuZilVl0ZJfiWwOIq56t
7oq0n+k6JQ3eP2bLT3rf7QvlIyiygbZfPCbWmHOVkMSefIPqEbfjZKNoijuPXZrP
3MbzUEBFHe4CiRpJ6j/zwPlYAj2+
-----END CERTIFICATE-----
%CA Intermediate Certificate:
-----BEGIN CERTIFICATE-----
MIIDgzCCAuygAwIBAgIQJUuKhThCzONY+MXdriJupDANBgkqhkiG9w0BAQUFADBf
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsT
LkNsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkw
HhcNOTcwNDE3MDAwMDAwWhcNMTExMDI0MjM1OTU5WjCBujEfMB0GA1UEChMWVmVy
aVNpZ24gVHJ1c3QgTmV0d29yazEXMBUGA1UECxMOVmVyaVNpZ24sIEluYy4xMzAx
BgNVBAsTKlZlcmlTaWduIEludGVybmF0aW9uYWwgU2VydmVyIENBIC0gQ2xhc3Mg
MzFJMEcGA1UECxNAd3d3LnZlcmlzaWduLmNvbS9DUFMgSW5jb3JwLmJ5IFJlZi4g
TElBQklMSVRZIExURC4oYyk5NyBWZXJpU2lnbjCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA2IKA6NYZAn0fhRg5JaJlK+G/1AXTvOY2O6rwTGxbtueqPHNFVbLx
veqXQu2aNAoV1Klc9UAl3dkHwTKydWzEyruj/lYncUOqY/UwPpMo5frxCTvzt01O
OfdcSVq4wR3Tsor+cDCVQsv+K1GLWjw6+SJPkLICp1OcTzTnqwSye28CAwEAAaOB
4zCB4DAPBgNVHRMECDAGAQH/AgEAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHAQEw
KjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQUzA0BgNV
HSUELTArBggrBgEFBQcDAQYIKwYBBQUHAwIGCWCGSAGG+EIEAQYKYIZIAYb4RQEI
ATALBgNVHQ8EBAMCAQYwEQYJYIZIAYb4QgEBBAQDAgEGMDEGA1UdHwQqMCgwJqAk
oCKGIGh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMuY3JsMA0GCSqGSIb3DQEB
BQUAA4GBAAgB7ORolANC8XPxI6I63unx2sZUxCM+hurPajozq+qcBBQHNgYL+Yhv
1RPuKSvD5HKNRO3RrCAJLeH24RkFOLA9D59/+J4C3IYChmFOJl9en5IeDCSk9dBw
E88mw0M9SR2egi5SX7w+xmYpAY5Okiy8RnUDgqxz6dl+C2fvVFIa
-----END CERTIFICATE-----

**_luxem_**

Re: Connect Pro and SSL

Can anyone confirm that wildcard (*.domain.com) certificates will work with Connect?

**_connectguy_**

Re: Connect Pro and SSL

Yes.  You can use wildcard certs with Connect. 
You simply point to the same cert twice if securing the meeting and the webApp.

**_dfrankovic_**

Re: Connect Pro and SSL

Hi All I have a problem I have created certificate with Global Sign and Verisign and I get errors.
With Global sign i get :
Failed to load private key : error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long
and with VeriSign i get:
Failed to load private key : error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch

Both errors are visible in edge.00.log

any suggestions?

**_connectguy_**

Re: Connect Pro and SSL

Are you copying and pasting with wordpad? 
Make sure you use notepad when working with the pems.

**_seo4ssl_**

Re: Connect Pro and SSL

Wildcard SSL Certificate is the best option of secure your domain & multi sub domain.
HTTPS:// sign of secure website & HTTP:// sites aren't secure sites.Wildcard supported HTTP(s) and RTMP(s) servers.

_______________________
RapidSSL Certificate
GeoTrust SSL Certificate

**_annysmith001_**

Re: Connect Pro and SSL

I agree with seo4ssl for using wildcard SSL certificate if you are looking to secure your website with sub domains.

Last edited by **_annysmith001_** (2011-07-01 05:28:52)

**_renewssl_**

Re: Connect Pro and SSL

Absolutely true..Wildcard certificates is the best option when you need to secure multiple sub domains.

Last edited by **_renewssl_** (2011-11-07 04:55:13)

**_rapidsslonline_**

Re: Connect Pro and SSL

WildCard SSL Certificate is one of the best option to secure multiple and unlimited host names but which one is cost effective WildCard SSL solutions?

From my point of view that RapidSSL WildCard SSL Certificate is one of the best and cost effective solution which is contain the sames features and product specifications which GeoTrust True BusinessID WildCard has.

**_kentroberts_**

Re: Connect Pro and SSL

Hi..

Yes the great option is Wildcard SSL Certificate its secures Unlimited sub domains on a single Domain Name.

True BusinessID Wildcard is the easy, affordable solution. True BusinessID Wildcard is an ideal solution if you need to secure multiple fully qualified domains that share the same base domain name and reside on the same physical server and share the same second level domain name.

thanks..