- Topics: Active | Unanswered
Pages: 1
Topic closed
#1 2009-03-17 12:12:29
- **_RobZ_**
Connect pro and self-signed certificate
Hello everybody.
I'm still new to CP7 but I saw that this group is really talented and willing to help so I thought of sharing a (newbie) question with you.
The docs, forum and the KBs are pretty clear when it comes to securing CP7 with x509 certificates and the fact that you DO NOT have to use self-signed one; as to get better acquainted with the product, I gave a TRIAL certificate from Verisign a try and it worked really good when I protected the Meeting Server (ie, port 1935 -> 443).
When I received the trial certificate, I also received:
. an intermediate one which I had to merge into a single file along with the CP7 certificate
. a Trial Root CA from Verisign which *HAD* to be inserted into the browser of *EVERY* PCs accessing CP7
I replicated a CP7 environment in a virtual environment which is NOT connected to the Internet and it worked really well; the thing which made me think is the fact that I did receive a Trial Root CA (which is signed by the Trial Root CA itself) and a x509 certificate (also signed by the Trial Root CA) which "mimics" a self signed certificate CP7 is unwilling to use.
This is an excerpt from the Trial Root CA:
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
20:a8:97:ae:db:82:02:de:c1:36:a0:4e:26:bd:87:73
Signature Algorithm: md2WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=For Test Purposes Only. No assurances., CN=VeriSign Trial Secure Server Test Root CA
Validity
Not Before: Feb 9 00:00:00 2005 GMT
Not After : Feb 8 23:59:59 2025 GMT
Subject: C=US, O=VeriSign, Inc., OU=For Test Purposes Only. No assurances., CN=VeriSign Trial Secure Server Test Root CA
This is the intermediate cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
63:b1:a5:cd:c5:9f:78:80:1d:a0:63:6c:f9:75:46:7b
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=For Test Purposes Only. No assurances., CN=VeriSign Trial Secure Server Test Root CA
Validity
Not Before: Feb 9 00:00:00 2005 GMT
Not After : Feb 8 23:59:59 2015 GMT
Subject: C=US, O=VeriSign, Inc., OU=For Test Purposes Only. No assurances., OU=Terms of use at https://www.verisign.com/cps/testca (c)05, CN=VeriSign Trial Secure Server Test CA
This is the TRIAL cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
72:14:9a:6d:15:f8:e4:6c:3f:65:b4:39:3b:40:c1:42
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=VeriSign, Inc., OU=For Test Purposes Only. No assurances., OU=Terms of use at https://www.verisign.com/cps/testca (c)05, CN=VeriSign Trial Secure Server Test CA
Validity
Not Before: Mar 12 00:00:00 2009 GMT
Not After : Mar 26 23:59:59 2009 GMT
Subject: <SNIPPED>
With the above certs, everything worked fine; with a self-signed one, I had some errors and bad behaviour.
I had a look at the Java keystores embedded in CP7 and there is no sign of the Trial Root CA; due to the fact that my test environment is NOT connected to the Internet, I'm wondering how CP7 can tell a Trial Root CA from a self sign one.
I'm not willing to go against the rules of CP7 but I'm curious about why it rejects self signed one.
Thanks,
Rob
Offline
#2 2009-04-16 23:37:23
- **_nickc_**
Re: Connect pro and self-signed certificate
Flash is the client when you are in a Connect Pro meeting. When they build flash they import public CA root certs, so they are shipped in Flash. If you create a self-signed cert that root cert is not going to be recognized by Flash.
In order for Adobe to support self-sign certs, Flash users would need a way to import their own root certs on the fly (like you can in the browser). Now, you can actually reference the certs using a mms.cfg file but not practical to have each user import their own root certs manually.
Offline
#3 2009-04-17 02:14:52
- **_RobZ_**
Re: Connect pro and self-signed certificate
Hello.
Thanks for your reply.
The ability to refer a X509 certificate from the mms.cfg file sounds promising; I've downloaded the flash player 10 Admin and Security guide but I did not find a way to actually "point" to a X509 cert from the file itself.
Could you shed some lights, please?
Thanks,
Rob
Offline
Pages: 1
Topic closed