Adobe Connect User Community
Menu

#1 2009-03-17 12:12:29

**_RobZ_**

Connect pro and self-signed certificate

Hello everybody.

I'm still new to CP7 but I saw that this group is really talented and willing to help so I thought of sharing a (newbie) question with you.

The docs, forum and the KBs are pretty clear when it comes to securing CP7 with x509 certificates and the fact that you DO NOT have to use self-signed one; as to get better acquainted with the product, I gave a TRIAL certificate from Verisign a try and it worked really good when I protected the Meeting Server (ie, port 1935 -> 443).

When I received the trial certificate, I also received:

. an intermediate one which I had to merge into a single file along with the CP7 certificate
. a Trial Root CA from Verisign which *HAD* to be inserted into the browser of *EVERY* PCs accessing CP7

I replicated a CP7 environment in a virtual environment which is NOT connected to the Internet and it worked really well; the thing which made me think is  the fact that I did receive a Trial Root CA (which is signed by the Trial Root CA itself) and a x509 certificate (also signed by the Trial Root CA) which "mimics" a self signed certificate CP7 is unwilling to use.

This is an excerpt from the Trial Root CA:

Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            20:a8:97:ae:db:82:02:de:c1:36:a0:4e:26:bd:87:73
        Signature Algorithm: md2WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=For Test Purposes Only.  No assurances., CN=VeriSign Trial Secure Server Test Root CA
        Validity
            Not Before: Feb  9 00:00:00 2005 GMT
            Not After : Feb  8 23:59:59 2025 GMT
        Subject: C=US, O=VeriSign, Inc., OU=For Test Purposes Only.  No assurances., CN=VeriSign Trial Secure Server Test Root CA

This is the intermediate cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            63:b1:a5:cd:c5:9f:78:80:1d:a0:63:6c:f9:75:46:7b
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=For Test Purposes Only.  No assurances., CN=VeriSign Trial Secure Server Test Root CA
        Validity
            Not Before: Feb  9 00:00:00 2005 GMT
            Not After : Feb  8 23:59:59 2015 GMT
        Subject: C=US, O=VeriSign, Inc., OU=For Test Purposes Only.  No assurances., OU=Terms of use at https://www.verisign.com/cps/testca (c)05, CN=VeriSign Trial Secure Server Test CA

This is the TRIAL cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            72:14:9a:6d:15:f8:e4:6c:3f:65:b4:39:3b:40:c1:42
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=VeriSign, Inc., OU=For Test Purposes Only.  No assurances., OU=Terms of use at https://www.verisign.com/cps/testca (c)05, CN=VeriSign Trial Secure Server Test CA
        Validity
            Not Before: Mar 12 00:00:00 2009 GMT
            Not After : Mar 26 23:59:59 2009 GMT
        Subject: <SNIPPED>

With the above certs, everything worked fine; with a self-signed one, I had some errors and bad behaviour.

I had a look at the Java keystores embedded in CP7 and there is no sign of the Trial Root CA; due to the fact that my test environment is NOT connected to the Internet, I'm wondering how CP7 can tell a Trial Root CA from a self sign one.

I'm not willing to go against the rules of CP7 but I'm curious about why it rejects self signed one.

Thanks,
Rob

Offline

#2 2009-04-16 23:37:23

**_nickc_**

Re: Connect pro and self-signed certificate

Flash is the client when you are in a Connect Pro meeting.  When they build flash they import public CA root certs, so they are shipped in Flash.  If you create a self-signed cert that root cert is not going to be recognized by Flash.

In order for Adobe to support self-sign certs, Flash users would need a way to import their own root certs on the fly (like you can in the browser).  Now, you can actually reference the certs using a mms.cfg file but not practical to have each user import their own root certs manually.

Offline

#3 2009-04-17 02:14:52

**_RobZ_**

Re: Connect pro and self-signed certificate

Hello.

Thanks for your reply.

The ability to refer a X509 certificate from the mms.cfg file sounds promising; I've downloaded the flash player 10 Admin and Security guide but I did not find a way to actually "point" to a X509 cert from the file itself.

Could you shed some lights, please?

Thanks,
Rob

Offline

Board footer