Creating an authorized SSL certificate for MeetingSphere Meeting Center Server
MeetingSphere Meeting Center Server requires an authorized SSL certificate by which its Meeting center is identified, and traffic is encrypted. This document provides a step-by-step guide for creating such a certificate with Java Keytool. For your Meeting center, a simple non-wildcard SSL certificate will do. Any type of SSL certificate will expire after a specific period and need to be reissued. A. Create a private key-store Execute the following steps on a computer with Sun (Oracle) Java Development Kit 1.5 or higher. This could be your MeetingSphere Meeting Center Server which requires Sun (Oracle) JDK 1.8 in any case. 1. Call Keytool Execute the following command from the command-line prompt: keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore domainname.kdb for domainname.kdb substitute your domain name. In the example this is example.com.kdb. If Java is installed correctly (Linux path variable: $JAVA_HOME/bin, Windows path variable %JAVA_HOME%\bin) you do not have to specify a path. If required, change directory to the java directory which contains the program keytool. Keytool: Creating a keystore file 2. Keystore password When prompted, specify the password for your keystore (Example: changeit ). Write this down! You require this password when deploying the keystore in the Meeting Center Server console. 2017 MeetingSphere December 2017 page 2
3. (Sub) domain name When asked What is your first and last name? specify the (sub)domain name by which your Meeting center is registered in the DNS. For a simple non-wildcard certificate you have to specify the full domain name (here example.com ) If, however, the hostname registered in the DNS results in a URL like https://meetingsphere.example.com, specify meetingsphere.example.com (everything after https:// ). In this case, use meetingsphere.example.com also as the file name of your keystore! Be aware that every combination of characters to the left of the domain name and separated by a dot constitutes a sub domain: www.example.com is a sub domain of example.com and is not covered by a simple certificate for example.com. Any discrepancy between (sub) domain name in the keystore and the actual address of your Meeting center will cause security alerts in the users browsers! 4. Organizational unit / Organization Specify the name of your department and the complete legal name of your organization. In the example this is Meeting Management and Example Inc. You may specify your organization name also for Organizational unit. Note the characters allowed for this and the following information are restricted. Characters [! @ # $ % ^ ( ) ~? > < & / \,. " '] are illegal. 5. City, state and country In the example given above these are Hamburg (city), Hamburg (state) and DE for Germany. The country is specified with its 2-letter country code according to ISO 3166-1 alpha 2 which is also used by e.g. NATO. Examples: DE, GB, FR, ES, US, JP. 6. Verify your specification keytool will display your specification for confirmation. If correct, confirm with yes. 7. Password for <tomcat> keytool prompts you again for a password. Press enter to confirm the password given above. 8. Creation and backup of the keystore file On confirmation of the password for <tomcat>, the specified keystore file (in the example example.com.kdb ) will be created and stored in the directory from which keytool was called. Create a backup of the keystore file. 2017 MeetingSphere December 2017 page 3
B. Certificate signing request (CSR) 9. Call Keytool From the command prompt, call keytool : keytool -certreq -alias tomcat -keystore domainname.kdb -file domainname.csr substitute the file name you have specified in step 1 above (e.g. example.com.kdb ) for domainname.kdb. Use that name also for the signing-request file. In our example domainname.csr should read example.com.csr. When prompted, give the password of the keystore (here: changeit ). Keytool: Creating a signing request Create another backup of the keystore, as step 9 may lead to different results if repeated. 10. Getting the domain and the SSL root certificate With your web browser go to the homepage of your SSL provider (certificate authority). Follow instructions for creating an SSL certificate. Typically, you will be asked to upload the csr file (in our example example.com.csr from the directory from which you have called keytool. Alternatively, you may be asked to open the csr file in an editor and paste its content into an input box. At the end of this procedure you will receive (by download or email) a certificate for your domain and an SSL root certificate of the certificate authority. C. Finalize the keystore To finalize the keystore, you must copy the received certificates to the directory from which you have called keytool and where the keystore (in our example example.com.kdb ) and the signing request (in our example example.com.csr ) reside. Before importing the certificates, create a backup of these files, e.g. example.com.kdb.bak. The following description presupposes two certificates i.e. the root certificate and the domain certificate. Should your SSL provider supply more than two certificates, follow the directions given by your SSL provider. However, make sure that the alias given for your certificate in steps 1 and 9 is tomcat. 11. Import the root certificate into the keystore Call keytool again: keytool -import -trustcacerts -keystore domainname.kdb -alias root -file root.cer 2017 MeetingSphere December 2017 page 4
where - domainname.kdb is your kdb file (in our example example.com.kdb ) - root.cer is the certificate of your certificate authority Keytool: Import of the root certificate in the keystore When prompted, give the password as specified in step 1 (Example: changeit ). Possibly you will be informed that the root certificate is already included in the system-wide keystore. In any case, confirm with yes! You want to add the root certificate to your specific SSL keystore! Note: Simple confirmation with Enter would count as no! 12. Import the SSL domain certificate into the Keystore Call keytool again: keytool -import -trustcacerts -keystore domainname.kdb -alias tomcat -file domainname.cer Where - domainname.kdb is your keystore file (in our example example.com.kdb ) - domainname.cer is the domain certificate received from your SSL provider (example: example.com.cer ). When prompted, give your password (example: changeit ). Keytool: Import of the domain certificate into the keystore 2017 MeetingSphere December 2017 page 5
Your keystore domainname.kdb (in the example: example.com.kdb ) is now complete and ready for use. Create a backup and store of this file in a safe place! D. Install the keystore on the Meeting Center Server 13. Upload the keystore in the server console Open the application server console > Server administration > SSL keystore control. - Specify uploaded keystore. - Upload the keystore and specify the password. MeetingSphere Inc 440 Monticello Ave, Suite 1875 Norfolk, VA 23510 United States of America www.meetingsphere.com T: 1 (703) 348 0725 Sales: sales@meetingsphere.com Support: http://meetingsphere.com/support 2017 MeetingSphere December 2017 page 6