Web Pages

 

There are two basic ways to enable SSL on your ISL Conference Proxy server:

  • using a purchased certificate (obviously you need to pay for it, wildcard certificates are usually more expensive than standard certificates)
  • using a self-signed certificate (no purchase necessary, but your visitors will get a warning that the certificate is signed by an unknown CA)

Please decide which option you prefer and then refer to the appropriate section below for instructions.

Note: With release of ISL Conference Proxy 4.4.1747.56 the SSL library used by ISL Conference Proxy has been updated to version 1.0.2o


Using a purchased certificate

Part 1 - general information

If you use ISL Light, ISL AlwaysOn, ISL Groop, but not ISL Pronto, then you need a standard certificate.

If you intend to use ISL Pronto, you will need a wildcard certificate (e.g. *.isl.example.com) - a wildcard certificate is usually more expensive.

Please follow certificate provider's Apache(-SSL) HTTPD instructions, they are the most similar to ISL Conference Proxy.

Examples:

https://www.thawte.com/ssl-digital-certificates/technical-support/keygen/

https://www.digicert.com/csr-creation.htm

OpenSSL for Windows can be found here:

http://www.slproweb.com/products/Win32OpenSSL.html


Part 2 - preparing certificate files

Having followed the instructions in the first part, you will have received a signed certificate from your provider.

ISL Conference Proxy requires SSL certificate files to be in the PEM format, so you might need to convert your files appropriately before proceeding. Please refer to your certificate provider's instructions.

Please save the SSL certificate in PEM format as web-cert.pem. You can check if it is ok through the following OpenSSL command - it should print your certificate info such as issuer, validity etc.:

openssl x509 -inform pem -in web-cert.pem -noout -text

Please save your private key in PEM format as web-key.pem. You can check if it is ok through the following OpenSSL command - it should print RSA key ok:

openssl rsa -inform pem -in web-key.pem -noout -check


Important: This command will ask you to enter the appropriate passphrase if you set one when exporting your private key. It is considered best practice to always protect your private keys with a passphrase.


In order to avoid potential issues, especially when renewing a certificate and replacing the existing one, it is recommended to check the modulus of your private key and your SSL certificate, just to make sure they match. The output of the following two commands should be the same (Modulus=...):

openssl x509 -inform pem -in web-cert.pem -noout -modulus

openssl rsa -inform pem -in web-key.pem -noout -modulus


Important: This command will ask you to enter the appropriate passphrase if you set one when exporting your private key. It is considered best practice to always protect your private keys with a passphrase.

If your certificate provider requires you to use one or more intermediate certificates, it will be mentioned in your certificate provider's instructions. In that case please save the appropriate intermediate certificate file in PEM format as web-intermediate.pem. If such a file is not required by your certificate provider, you can skip this step.


Part 3 - uploading certificate files to ISL Conference Proxy

The easiest way to put all the required files to ISL Conference Proxy is to upload them to the private file storage by following these steps:

  1. Login to your ISL Conference Proxy administration (http://localhost:7615/conf).
  2. Go to Configuration -> Advanced ->File storage -> Private.
  3. Click Choose..., select the private key file web-key.pem and click Upload.
  4. Click Choose..., select the SSL certificate file web-cert.pem and click Upload.
  5. If you need to use an intermediate certificate, click Choose..., select the intermediate certificate file web-intermediate.pem and click Upload.
  6. Your uploaded files will be shown in the list below - upload complete.

Now you are ready to enable SSL for web pages served by ISL Conference Proxy.


Part 4 - enabling SSL for web pages

  1. Login to your ISL Conference Proxy administration (http://localhost:7615/conf).
  2. Go to Configuration -> General.
  3. Uncheck the checkbox in front of HTTPT SSL certificate and change the setting to point to the appropriate uploaded file: objects/web-cert.pem
  4. Uncheck the checkbox in front of HTTPT SSL key and change the setting to point to the appropriate uploaded file: objects/web-key.pem
  5. If you need to use an intermediate certificate, uncheck the checkbox in front of HTTPT SSL certificate chain and change the setting to point to the appropriate uploaded file: objects/web-intermediate.pem
  6. Click Save to apply the settings you changed so far.
  7. If you protected your private key with a passphrase, click the change link next to the HTTPT SSL key passphrase and enter the appropriate passphrase.
  8. Uncheck the checkbox in front of HTTPT use SSL and change the setting to Yes.
  9. Click Save to apply these settings.
  10. Go to Configuration -> Security.
  11. Verify setting Redirect HTTP to HTTPS for all user web pagesĀ is set to Yes.

Now you can open https://serveraddress/ (replace serveraddress with the appropriate DNS name of your server) and test, the page should load successfully and your web browser should indicate that the connection is secure..

Default protocol and cipher suite settings should be a good starting point and in case you have no specific requirements you should leave them at their default values. If needed, you can adjust them - please refer to ISL Conference Proxy configuration best practices (point 7).


Using a self-signed certificate

The easiest way to generate a self-signed certificate is to use OpenSSL executable that is already present in the ISL Conference Proxy install directory. This example is for linux, adjust accordingly for windows.

Important: You need to perform these commands as root.

cd /var/confproxy

openssl genrsa 2048 > main.key

openssl req -new -x509 -subj "/CN=*.isl.example.com" -key main.key -days 9999 > main.cert

chmod 600 main.key

chmod 600 main.cert

chown islcp:islcp main.key

chown islcp:islcp main.cert

Important: chown is needed in ICP 4.1 and newer as ICP will drop root privileges since ICP 4.1.0 release. Before (ICP 4.0, ICP 3.x) you should not chown as islcp user does not exists.

After that, go to ISL Conference Proxy administration (http://localhost:7615/conf) and select Configuration - General. Change HTTPT use SSL option to Yes and click Save.

Redirecting HTTP to HTTPS for all user web pages is turned on by default.

Default protocol and cipher suite settings should be a good starting point and in case you have no specific requirements you should leave them at their default values. If needed, you can adjust them - please refer to ISL Conference Proxy configuration best practices (point 7).

Now you can open https://serveraddress/ (replace serveraddress with the appropriate DNS name of your server) and test.

Important: A self-signed certificate is not suitable for production use since website visitors will be presented with a warning about an untrusted certificate.

Tags: isl conference proxy, enabling ssl

Was this article helpful?