Ssl-certificate/en: различия между версиями

Материал из SmartPlayer
(Новая страница: «== '''Types of Certificates''' == Theory on types of certificates. [https://www.globalsign.com/ru-ru/ssl-information-center/types-of-ssl-certificate The simplified classification of SSL includes the following options:]»)
Нет описания правки
 
(не показаны 33 промежуточные версии этого же участника)
Строка 13: Строка 13:
Theory on types of certificates. [https://www.globalsign.com/ru-ru/ssl-information-center/types-of-ssl-certificate The simplified classification of SSL includes the following options:]
Theory on types of certificates. [https://www.globalsign.com/ru-ru/ssl-information-center/types-of-ssl-certificate The simplified classification of SSL includes the following options:]


<div lang="ru" dir="ltr" class="mw-content-ltr">
# ''Extended Validation Certificate: ExtendedSSL (EV SSL)''. This is the latest and possibly the most significant development in SSL technology since its introduction. This solution complies with standardized extended validation guidelines. New high-security browsers such as Microsoft Internet Explorer 7+, Opera 9.5+, Firefox 3+, Google Chrome, Apple Safari 3.2+, and iPhone Safari 3.0+ recognize ExtendedSSL certificates as extended validation (EV) certificates. This is relevant for clients who want to declare the highest level of authentication.
# ''Сертификат с расширенной проверкой: ExtendedSSL (EV SSL)''. Это самое свежее и, возможно, самое важное развитие технологии SSL с момента ее введения. Данное решение соблюдает стандартизированные рекомендации по расширенной проверке. Новые высоконадежные браузеры, такие как Microsoft Internet Explorer 7+, Opera 9.5+, Firefox 3+, Google Chrome, Apple Safari 3.2+ и iPhone Safari 3.0+, распознают сертификаты ExtendedSSL как сертификаты с расширенной проверкой (EV). Актуально для клиентов, которые хотят заявить о высочайшем уровне аутентификации.
# ''Organization Validated Certificate: OrganizationSSL (OV SSL)''. GlobalSign has been issuing organization validated certificates for 15 years. Information about companies applying for an OrganizationSSL certificate is thoroughly verified before the certificate is issued.
# ''Сертификат с проверкой организации OrganizationSSL (OV SSL)''. GlobalSign выпускает сертификаты с проверкой организации на протяжении 15 лет. Сведения о компаниях, подающих заявки на сертификат OrganizationSSL, тщательно проверяются перед выпуском сертификата.
# ''Domain Validated Certificate: DomainSSL (DV SSL)''. DomainSSL certificates are fully supported and recognized by browsers, just like OrganizationSSL certificates, but they have one advantage they are issued almost instantly and without the need to send company documents for verification. This makes DomainSSL an ideal offer for an organization that needs to obtain an SSL certificate urgently, without additional costs and without the effort of sending company documents for verification.
# ''Сертификат с проверкой домена: DomainSSL (DV SSL)''. Сертификаты DomainSSL полностью поддерживаются и распознаются браузерами, как и сертификаты OrganizationSSL, но имеют одно преимущество они выпускаются почти мгновенно и без необходимости присылать документы компании на проверку. Это делает DomainSSL идеальным предложением для организации, которой нужно получить SSL-сертификат срочно, без дополнительных расходов и без усилий по передаче документов компании на проверку.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
== '''Certificate Chains''' ==
== '''Цепочки сертификатов''' ==
Issuing a certificate implies not just one certificate file, but a chain of certificates that need to be obtained:
Под выпуском сертификата подразумевается не один файл сертификата, а цепочка сертификатов, которые нужно получить:
* ''Root SSL Certificate, CA Certificate'' — This is an electronic document that certification authorities use to sign SSL certificates upon issuance. The root certificate, often called a trusted root certificate, is at the heart of the trust model that supports SSL/TLS.<br>
* ''Корневой сертификат SSL, CA certificate'' — это электронный документ, которым центры сертификации подписывают SSL-сертификаты при выдаче. Корневой сертификат, часто называемый доверенным корневым сертификатом, находится в центре модели доверия, которая поддерживает SSL / TLS.<br>
Each browser contains a root store. Some browsers operate independently, while others use a third-party certificate store. The root certificate store is a set of preloaded root certificates that are on the device. The root certificate is invaluable because browsers automatically trust a certificate signed with a trusted root certificate. Trusted roots belong to Certification Authorities (e.g., Comodo, Thawte, Geotrust, GlobalSign, Symantec, etc.) - organizations that verify and issue SSL certificates.
Каждый браузер содержит корневое хранилище. Некоторые браузеры работают самостоятельно, в то время как другие используют стороннее хранилище сертификатов. Хранилище корневых сертификатов - это набор предварительно загруженных корневых сертификатов, которые находятся на устройстве. Корневой сертификат бесценен, поскольку браузеры автоматически доверяют сертификату, подписанному с доверенным корневым сертификатом. Доверенные корни принадлежат Центрам Сертификации (например Comodo, Thawte, Geotrust, GlobalSign, Symantec и так далее) - организациям, которые проверяют и выдают сертификаты SSL.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
* ''Intermediate Certificate'' - Certification Authorities (CAs) do not issue end-user SSL certificates directly from their Root Certificate. This would be risky because, in the case of improper issuance or an error, the Root Certificate would be revoked, and every issued certificate that was signed using that Root Certificate would immediately become "Untrusted".<br>
* ''Промежуточный сертификат'' - Центры сертификации не выдают сертификаты SSL конечного пользователя непосредственно от их Корневого сертификата. Это было бы опасно, потому что, при неправильной выдаче или ошибке, Root (Корневой сертификат) был бы отозван и каждый выпущенный сертификат, который был подписан с использованием данного Корневого сертификата, станет сразу же "Недовереным".<br>
Therefore, to protect themselves, CAs usually issue what is called an "Intermediate Certificate". The Certification Authority signs the Intermediate Certificate with its private key, which makes it "Trusted". The CA then uses the private key of the Intermediate Certificate to sign end-user SSL certificates. This process can be repeated several times, where an intermediate root signs another intermediate link, and then the CA uses this to sign the certificate.  
Таким образом, чтобы обезопасить себя, CA обычно выдает то, что называется "промежуточным сертификатом". Центр Сертификации подписывает промежуточный сертификат с его закрытым ключом, который делает его "Доверенным". Затем Центр сертификации использует закрытый ключ промежуточного сертификата для подписи сертификатов SSL конечного пользователя. Этот процесс может играть несколько раз, где промежуточный корень подписывает другое промежуточное звено, и затем CA использует это для подписания сертификата.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
* ''SSL Certificate'' - A unique certificate issued for the domain name of a web application.
* ''SSL сертификат'' - уникальный сертификат выданный на доменное имя веб приложения.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
=== Certificate Issuance ===
=== Выпуск сертификатов ===
Depending on which certification authority will be used, the issuance process differs.
В зависимости какой центр сертификации будет использоваться, процесс выпуска отличается.
* "Certificates issued by widely accepted public certification authorities" - You can find any site on the internet (for example, reg.ru / firstssl.ru and countless others) that deals with the issuance of certificates from the required certification authority (for example, GlobalSign). Each site has a personal account/instructions on how to issue certificates.
* "Сертификаты выпущенными общепринятым публичным центром сертификации" - можно найти любой сайт в сети интернет (например reg.ru / firstssl.ru и другие их бесчисленное множество), который занимается выпуском сертификатов от нужного центра сертификации (например: GlobalSign). На каждом сайте есть личный кабинет / инструкции как выпускать сертификаты.
* "Self-signed certificates" - Contact your company's IT department.
* "Самоподписанные сертификаты" - обратиться в департамент IT своей компании.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
{| class="wikitable"
{| class="wikitable"
|+ Придерживайтесь следующих рекомендаций от компании SmartPlayer по выпуску сертификатов
|+ Follow these guidelines from SmartPlayer for issuing certificates
|-
|-
! Рекомендация !! Причина рекомендации
! Recommendation !! Reason for recommendation
|-
|-
| Покупайте сертификаты, выпущенные "общепринятым публичным центром сертификации" || Платформа SmartPlayer является кроссплатформенной, т.е. клиентские приложения работают на всех операционных системах (AndroidOS/WebOS/TizenOS/Windows/Linux/Raspberry Pi и т.п.). Это значит, что все операционные системы по умолчанию должны доверять центру сертификации, который выпустил сертификаты. Если даже в текущем проекте используется только Android OS, это не значит, что отдел закупок через год не купит устройства на TizenOS. Используйте центр сертификации, которому доверяют максимум производителей устройств.  
|Buy certificates issued by a "commonly accepted public certification authority"
Reason for recommendation: The SmartPlayer platform is cross-platform, meaning client applications work on all operating systems (AndroidOS/WebOS/TizenOS/Windows/Linux/Raspberry Pi, etc.). This means that all operating systems must trust the certification authority that issued the certificates by default. Even if the current project only uses Android OS, it doesn't mean that the procurement department won't buy devices on TizenOS in a year. Use a certification authority trusted by the maximum number of device manufacturers.
|-
|-
| Покупайте сертификаты от компании [https://www.globalsign.com/ru-ru GlobalSign] || Мировой центр сертификации, данному центру доверяют все производители устройств из всех стран мира. Максимально широкое покрытие устройств от производителей. Компания SmartPlayer использует сертификат от данного центра сертификации. Например, Samsung/LG - Южная Корея, BrightSign - Великобритания, Android OS - бесчисленное количество разных производителей и все они доверяют GlobalSign.
|Buy certificates from GlobalSign
Reason for recommendation: A global certification authority trusted by all device manufacturers worldwide. The widest coverage of devices from manufacturers. SmartPlayer uses a certificate from this certification authority. For example, Samsung/LG - South Korea, BrightSign - UK, Android OS - countless different manufacturers, and they all trust GlobalSign.
|-
|-
| Не используйте частные центры сертификации || Частным центрам сертификации не доверяет ни одно устройство. Для запуска https придется добавлять сертификат в хранилище сертификатов устройства вручную. А если в проекте устройств будет более 50? Это уже становится много рутинной ручной работы. {{Note|text=Платформа SmartPlayer пока не поддерживает загрузку пользовательских сертификатов через личный кабинет SmartPlayer. В дальнейшем будет доработано, но универсального решения не получится для всех операционных систем. Есть ограничения от производителей, например TizenOS не предоставляет API для загрузки сертификатов на 30 мая 2024 года. Не берите на себя лишние риски, используйте сертификаты от публичных центров сертификации.}}
| Do not use private certification authorities
Reason for recommendation: No device trusts private certification authorities. To launch https, you will need to add the certificate to the device's certificate store manually. And if there are more than 50 devices in the project? This already becomes a lot of routine manual work. {{Note|text=The SmartPlayer platform does not yet support the loading of user certificates through the SmartPlayer personal account. This will be improved in the future, but there will not be a universal solution for all operating systems. There are manufacturer restrictions, for example, TizenOS does not provide an API for loading certificates as of May 30, 2024. Do not take unnecessary risks, use certificates from public certification authorities.}}
|-
|-
| Какой типа сертификата выбрать? || Используйте DomainSSL (DV SSL). Он самый дешевый и быстро выпускаемый для обеспечения работы по протоколу https.
| Which type of certificate to choose?|| Reason for recommendation: Use DomainSSL (DV SSL). It is the cheapest and quickest to issue for ensuring work over the https protocol.
|}
|}
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
== '''Configuring the SmartPlayer Platform''' ==
= '''Настройка платформы SmartPlayer''' =
To ensure the correct operation of the "https" protocol using SSL certificate(s), the following platform components need to be configured:
Для корректной работы "https" протокола с использованием ssl сертификата(ов) нужно настроить следующие компоненты платформы:
* The server application and the SmartPlayer personal account
* серверное приложение и личного кабинета SmartPlayer
* SmartPlayer client applications
* клиентские приложения SmartPlayer
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
By this point, you should have three certificates and a private key:
К этому моменту на руках должно быть три сертификата и приватный ключ:
* Root SSL certificate, CA certificate (for example, in this guide we will call it: rootCA.crt)
* Корневой сертификат SSL, CA certificate (для примера в инструкции назовем: rootCA.crt)
* Intermediate certificate (for example, in this guide we will call it: intermediateCA.crt)
* Промежуточный сертификат (для примера в инструкции назовем: intermediateCA.crt)
* SSL certificate (for example, in this guide we will call it: server-sp.crt)
* SSL сертификат (для примера в инструкции назовем: server-sp.crt)
* SSL private key (for example, in this guide we will call it: server-sp.key)
* SSL приватный ключ (для примера в инструкции назовем: server-sp.key)
=== <span id="installCertificatesOnServerApp">'''Configuring the SmartPlayer Server Application (and Personal Account)''' ===
Create a certificate chain from the "intermediate certificate" and the "SSL certificate" by combining them into one file. There are different ways to do this:
=== <span id="installCertificatesOnServerApp">'''Настройка серверного приложения (и личного кабинета) SmartPlayer'''</span> ===  
# Open any text editor and paste the content of the "intermediate certificate" file first, then paste the content of the "SSL certificate" file '''without any spaces''' from the next line. Save the resulting text document with the *.crt extension.
Создайте цепочку сертификатов из "промежуточного сертификата" и "ssl сертификата" соединив их в один файл. Есть разные способы, как это сделать:
# When working in Linux, simply execute the command: <code>cat intermediateCA.crt server-sp.crt > server-sp-chain.crt</code>  
# Открыть любой тестовый редактор и в него вставить вначале содержимое файла "промежуточного сертификата", а дальше '''без пробелов''' вставить содержимое следующего "ssl сертификата" '''с следующей строчки'''. Сохранить полученный тестовый документ с разрешением *.crt.
# При работе в Linux достаточно выполнить команду: <code>cat intermediateCA.crt server-sp.crt > server-sp-chain.crt</code>
</div>  


<div lang="ru" dir="ltr" class="mw-content-ltr">
As a result, we have the file server-sp-chain.crt, which contains both certificates. If you open the file in a special certificate management program (https://keystore-explorer.org/), you will see the following hierarchical structure.
В итоге у нас получился файл server-sp-chain.crt, который содержит в себе оба сертификата. Если файл открыть в специальной программе по работе с сертификатами (https://keystore-explorer.org/), то можно увидеть следующую иерархическую структуру.  
[[Файл:Self-certificate-api.png|центр]]
[[Файл:Self-certificate-api.png|центр]]
</div>




<div lang="ru" dir="ltr" class="mw-content-ltr">
# Upload the certificate chain (server-sp-chain.crt) and the private key (server-sp.key) to the server using any convenient method. Commonly used programs for this include:
# Загрузите на сервер цепочку сертификатов (server-sp-chain.crt) и приватный ключ (server-sp.key) любым удобным способом. Часто используемые программы для этого:
## WinScp - https://winscp.net/eng/
## WinScp - https://winscp.net/eng/
## FileZilla - https://filezilla-project.org/
## FileZilla - https://filezilla-project.org/
## Sftp / scp - обычно поставляются с операционной системой
## Sftp / scp - usually come with the operating system
# Найдите путь (если не знаете), куда установлена платформа SmartPlayer на сервере, по умолчанию это "/home/smartplayer/smartplayer"
# Find the path (if you don't know it) where the SmartPlayer platform is installed on the server, by default it is "/home/smartplayer/smartplayer"
# Переместите файлы server-sp-chain.crt и server-sp.key в папку с сертификатами, по умолчанию это "/home/smartplayer/smartplayer/nginx/ssl". По умолчанию в конфигурации nginx поставляемой компанией SmartPlayer названия для файлов: ssl.crt (цепочка сертификатов) и ssl_private.key (приватный ключ). Используйте эти названия для своих файлов, чтобы не переписывать конфигурационные файлы nginx веб сервера.  
# Move the files server-sp-chain.crt and server-sp.key to the certificate folder, by default this is "/home/smartplayer/smartplayer/nginx/ssl". By default, in the nginx configuration provided by SmartPlayer, the file names are: ssl.crt (certificate chain) and ssl_private.key (private key). Use these names for your files to avoid rewriting the nginx web server configuration files.
# Проверьте конфигурацию nginx, что файлы доступны для веб сервера, для этого выполнить команду: <code>docker exec -it smartplayer_web_1 sh</code> внутри контейнера <code>nginx -t</code> вывод должен быть [[Файл:Screenshot from 2024-05-30 15-35-08.png|центр]]
# Check the nginx configuration to ensure the files are accessible to the web server, by running the command: <code>docker exec -it smartplayer_web_1 sh</code> inside the container <code>nginx -t</code>. The output should be:
# Перезагрузите конфигурацию nginx, для этого выполните команду: <code>docker exec -it smartplayer_web_1 sh</code> внутри контейнера <code>nginx -s reload</code>  
[[Файл:Screenshot from 2024-05-30 15-35-08.png|центр]]
# На этом установка сертификата на серверное приложение SmartPlayer закончено. Для проверки открой url личного кабинета или серверное приложения в браузере. Если вы использовали сертификаты от "выпущенными общепринятым публичным центром сертификации", то вы сразу увидите защищенное соединение (зеленый замок слева от адреса). Если вы использовали сертификаты от "cамоподписанные сертификаты", то вы увидите незащищенное соединение в браузере, так как он не доверяет сертификату.  
# Reload the nginx configuration by running the command: <code>docker exec -it smartplayer_web_1 sh</code> inside the container <code>nginx -s reload</code>
# The installation of the certificate on the SmartPlayer server application is now complete. To verify, open the URL of the personal account or server application in the browser. If you used certificates issued by a "common public certification authority," you will immediately see a secure connection (green lock to the left of the address). If you used "self-signed certificates," you will see an insecure connection in the browser, as it does not trust the certificate.
[[Файл:Screenshot from 2024-05-30 15-46-44.png|центр]]
[[Файл:Screenshot from 2024-05-30 15-46-44.png|центр]]
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
{{Note|text=The configuration of the personal account fully replicates the steps described in this section. The personal account uses similar paths to the certificates to establish an HTTPS connection. No additional configuration is required if the default nginx configuration files are used. In closed networks, a solution is used where the personal account and server application are on the same domain, in almost 100% of cases.}}
{{Note|text=Настройка личного кабинета полностью повторяет шаги, описанные в этом разделе. Личный кабинет использует аналогичные пути к сертификатам для открытия https соединения. Дополнительная настройка не требуется если используются конфигурационные файлы nginx по умолчанию. В закрытых сетях используется решение, где личный кабинет и серверное приложения находятся на одном домене, практически в 100% случаев.}}
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
=== '''Configuring SmartPlayer Client Applications''' ===  
=== '''Настройка клиентских  приложения SmartPlayer''' ===  
# If you used a certificate issued by a "public certification authority" from GlobalSign, adding certificates to the end devices is not necessary, and the HTTPS connection between the client application and the server application should immediately open. The client application will display a registration code upon first access.
# Если вы использовали сертификат от "выпущенными общепринятым публичным центром сертификации" от GlobalSign то добавление сертификатов на конечные устройства не нужно и сразу должно открыться https соединение между клиентским приложением и серверным приложение. Клиентское приложение покажет код регистрации, при первом обращении.  
# If you issued a certificate from a private certification authority, you need to add the rootCA.crt to the device's certificate store. Each operating system handles this differently; instructions can be found on the Internet. After adding the certificate, restart the device, and the HTTPS connection should open.  
# Если вы выпустили сертификат частным центром сертификации, то rootCA.crt нужно добавить на устройство в его хранилище сертификатов. В каждой операционной системе это делает по разному инструкции можно найти в сети Интернет. После добавление сертификата перезагрузите устройство и соединение https должно открыться.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
Separate instructions for operating systems on how to add custom certificates:
Отдельный инструкции по операционным системам, как добавить пользовательские сертификаты:
# [[Installing_Certificates_for_Android_OS]]
# [[Установка_сертификатов_для_ОС_Android]]
# TizenOS - does not support the installation of certificates issued by a private certification authority. You need to use certification authorities from the list
# TizenOS - не поддерживает установку сертификатов выпущенных частным центром сертификации. Нужно использовать центры сертификации из списка [[SSSP#%D0%9F%D0%BE%D0%B4%D0%B4%D0%B5%D1%80%D0%B6%D0%BA%D0%B0_HTTPS_(%D1%81%D0%B5%D1%80%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%82%D1%8B)]]
[[SSSP#%D0%9F%D0%BE%D0%B4%D0%B4%D0%B5%D1%80%D0%B6%D0%BA%D0%B0_HTTPS_(%D1%81%D0%B5%D1%80%D1%82%D0%B8%D1%84%D0%B8%D0%BA%D0%B0%D1%82%D1%8B)]]
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
= '''Troubleshooting''' =
= '''Поиск неисправностей''' =
=== '''Trust anchor for certification path not found''' ===
=== '''Trust anchor for certification path not found''' ===  
[[Файл:Screen.png|безрамки|центр]]
[[Файл:Screen.png|безрамки|центр]]
{| class="wikitable"
{| class="wikitable"
|+ Ошибки на Android OS
|+ Errors on Android OS
|-
|-
! Операционная система !! Причина ошибки !! Исправление ошибки
! Operating System !! Cause of Error !! Error Fix
|-
|-
| Android OS || Устройство не доверяет центру сертификации, который выпустил сертификат, установленный на серверном приложении SmartPlayer || Добавить корневой сертификат центра сертификации в пользовательские сертификаты на устройстве. Общая инструкция [[Установка_сертификатов_для_ОС_Android]]. Возможно, после установки потребуется перезагрузка устройства. Зависит от прошивки устройства.
|Android OS|| The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application || Add the root certificate of the certification authority to the user certificates on the device. General instructions [[Installing_Certificates_for_Android_OS]]. A device reboot may be required after installation, depending on the device firmware.
|-
|-
| Android OS || Устройство не доверяет центру сертификации, который выпустил сертификат установленный на серверном приложении SmartPlayer, но сертификат установлен в хранилище сертификатов устройства || Обновите клиентское приложение до версии v1.70.2 и выше
|Android OS || The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application, but the certificate is installed in the device's certificate store || Update the client application to version v1.70.2 or higher
|}
|}
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
=== '''Connection error ${server address} {"type":"TransportError", "description":{"isTrusted"}}''' ===
=== '''Ошибка подключения ${адрес сервера} {"type":"TransportError", "description":{"isTrusted":true}}''' ===  
[[Файл:06A63054-AFE2-4037-A37F-FC15028027E5.jpg|безрамки|центр]]
[[Файл:06A63054-AFE2-4037-A37F-FC15028027E5.jpg|безрамки|центр]]
{| class="wikitable"
{| class="wikitable"
|+ Ошибки на TizenOS/WebOS/BrightSignOS
|+ Erorrs on TizenOS/WebOS/BrightSignOS
|-
|-
! Операционная система !! Причина ошибки !! Исправление ошибки
! Operating system !! Cause of Error !! Error Fix
|-
|-
| WebOS || Устройство не доверяет центру сертификации, который выпустил сертификат, установленный на серверном приложении SmartPlayer || Добавить корневой сертификат центра сертификации в пользовательские сертификаты на устройстве в системном меню WebOS. Возможно, после установки потребуется перезагрузка устройства. Зависит от прошивки устройства.
|WebOS || The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application || Add the root certificate of the certification authority to the user certificates on the device in the WebOS system menu. A device reboot may be required after installation, depending on the device firmware.
|-
|-
| TizenOS || Устройство не доверяет центру сертификации, который выпустил сертификат, установленный на серверном приложении SmartPlayer || Добавить корневой сертификат центра сертификации в пользовательские сертификаты на устройстве нет возможности. Выпускать сертификат центром сертификации, которому доверяет устройство по умолчанию. Нужно использовать центры сертификации из списка [[SSSP#Поддержка_HTTPS_(сертификаты)]]
| TizenOS || The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application || It is not possible to add the root certificate of the certification authority to the user certificates on the device. Issue the certificate with a certification authority that the device trusts by default. Use the certification authorities from the list [[SSSP#Support_HTTPS_(certificates)]].
|-
|-
| BrightSignOS || Устройство не доверяет центру сертификации, который выпустил сертификат установленный на серверном приложении SmartPlayer.|| Инструкция как импортировать корневой сертификат в устройство (сами не проверяли) https://support.brightsign.biz/hc/en-us/articles/360024205233-How-do-I-display-a-webpage-that-requires-a-client-certificate Открывать под VPN/Proxy, из-под российского IP не открывается.  
| BrightSignOS || The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application. || nstructions on how to import the root certificate into the device (not tested by us) can be found at: https://support.brightsign.biz/hc/en-us/articles/360024205233-How-do-I-display-a-webpage-that-requires-a-client-certificate. Access via VPN/Proxy, as it is not accessible from a Russian IP.
|}
|}
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
=== '''Bad line при проверки конфигурации nginx ''' ===
=== '''Bad line при проверки конфигурации nginx ''' ===
[[Файл:Bad line.png|безрамки|центр]]
[[Файл:Bad line.png|безрамки|центр]]
Ошибка возникает, когда цепочка сертификатов создана неправильно, на стыке сертификатов. Откройте файл цепочки сертификатов в любом текстовом редакторе (sublim/atom/editor/notepad++ и т.п.) и сделайте переход на следующую строчку, при начале следующего сертификата. <br>
This error occurs when the certificate chain is created incorrectly, at the junction of certificates. Open the certificate chain file in any text editor (sublim/atom/editor/notepad++, etc.) and make a line break at the beginning of the next certificate.
'''Неправильно'''  
'''Incorrect'''
[[Файл:Screenshot from 2024-06-03 10-35-27.png|безрамки|центр]]
[[Файл:Screenshot from 2024-06-03 10-35-27.png|безрамки|центр]]
'''Правильно'''
'''Correct'''
[[Файл:Screenshot from 2024-06-03 10-37-07.png|безрамки|центр]]
[[Файл:Screenshot from 2024-06-03 10-37-07.png|безрамки|центр]]
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
= '''Test in the SmartPlayer Testing Infrastructure''' =
= '''Протестировать в тестовой инфраструктуре SmartPlayer''' =
SmartPlayer offers a testing environment where you can test the interaction between the SmartPlayer server application and client application over HTTPS with certificates issued by a private certification authority.
У компании SmartPlayer есть тестовая среда, где вы можете протестировать взаимодействие по https серверного приложения и клиентского приложения SmartPlayer c сертификатами, выпущенными частным центром сертификации.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
# Server application: https://self-certificate-api.smartplayer.org/
# Серверное приложение: https://self-certificate-api.smartplayer.org/
# Personal area: https://self-certificate.smartplayer.org/
# Личный кабинет: https://self-certificate.smartplayer.org/
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
When opening the URL in the browser, there will be a certificate error. The browser on your computer does not trust the private certification authority issued by SmartPlayer.
При открытии url в браузере будет ошибка сертификата. Браузер на вашем компьютере не доверяет частному центру сертификации который выпущен компанией SmartPlayer.  
[[Файл:Screenshot from 2024-05-30 18-24-41.png|безрамки|центр]]
[[Файл:Screenshot from 2024-05-30 18-24-41.png|безрамки|центр]]
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
To make the browser trust the certificate signed by a private certification authority, add the root certificate to the browser's user certificate store. Each browser has its own section for this, but most often these settings can be found in the security section.  
Для того, чтобы браузер стал доверять сертификату, который подписан частным центром сертификации добавьте корневой сертификат в центр хранения пользовательских сертификатов браузера. В каждом браузере свой раздел отвечает за это, но чаще всего эти настройки в разделе - безопасность.
</div>




<div lang="ru" dir="ltr" class="mw-content-ltr">
Download and add the certificate [https://instructions.hb.ru-msk.vkcs.cloud/rootCA%20sp%202024.crt https://instructions.hb.ru-msk.vkcs.cloud/rootCA_sp_2024.crt]
Скачиваем и добавляем сертификат [https://instructions.hb.ru-msk.vkcs.cloud/rootCA%20sp%202024.crt https://instructions.hb.ru-msk.vkcs.cloud/rootCA_sp_2024.crt]
</div>




<div lang="ru" dir="ltr" class="mw-content-ltr">
Added certificate to browser storage
Добавленный сертификат в хранилище браузера
[[Файл:Screenshot from 2024-05-30 18-38-53.png|безрамки|центр]]
[[Файл:Screenshot from 2024-05-30 18-38-53.png|безрамки|центр]]
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
Added certificate to browser storage
Добавленный сертификат
[[Файл:Screenshot from 2024-05-30 18-34-14.png|безрамки|центр]]
[[Файл:Screenshot from 2024-05-30 18-34-14.png|безрамки|центр]]
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
Restart the page
Обновить страницу
# https://self-certificate.smartplayer.org/
# https://self-certificate.smartplayer.org/
# https://self-certificate-api.smartplayer.org/
# https://self-certificate-api.smartplayer.org/
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
Server application
Серверное приложение
[[Файл:Screenshot from 2024-05-30 18-35-55.png|безрамки|центр]]
[[Файл:Screenshot from 2024-05-30 18-35-55.png|безрамки|центр]]
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
Personal area
Личный кабинет
[[Файл:Screenshot from 2024-05-30 18-36-42.png|безрамки|центр]]
[[Файл:Screenshot from 2024-05-30 18-36-42.png|безрамки|центр]]
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
Now it is clear that the browser trusts our certificate signed by the private certification authority. If you need to test any client application, request a build on the server https://self-certificate-api.smartplayer.org/ for testing from the company's manager.
Теперь видно, что браузер доверяет нашему сертификату, который подписан частным центром сертификации. если нужно протестировать любое клиентское приложение, запросите сборку его на сервер https://self-certificate-api.smartplayer.org/ для тестирования у менеджера компании.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
= '''Certificate Issuance by SmartPlayer Employees''' =
= '''Выпуск сертификата сотрудниками SmartPlayer''' =
SmartPlayer can issue a certificate for a project, but this requires the participation of the domain administrator for which the certificate will be issued. To start the certificate issuance process, you need to obtain the domain name for which the certificate needs to be issued (for example, api.smartplayer.org/cms.smartplayer.org).
SmartPlayer можем выпустить сертификат для проекта, но для этого требуется участие администратора домена, на который будет выпущен сертификат. Для начала выпуска сертификата нужно получить название домена на который нужно выпускать сертификат (например api.smartplayer.org/cms.smartplayer.org).
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
{| class="wikitable"
{| class="wikitable"
|+ Выпуск сертификата с помощью сотрудника SmartPlayer
|+ Issuing a certificate using a SmartPlayer employee
|-
|-
! Наименование шага !! Описание действий !! Ответственные
! Step name !! Description of actions !! Responsible
|-
|-
| Купить сертификат GlobalSign на сайте reg.ru || Покупка сертификата уровня DomainSSL || Сотрудник SmartPlayer
| Buy a GlobalSign certificate on the reg.ru website || Purchase a DomainSSL level certificate || SmartPlayer employee
|-
|-
| Отправка TXT записи || Сотрудник SmartPlayer отправит TXT запись которую нужно будет добавить для домена || Сотрудник SmartPlayer
| Sending TXT record || A SmartPlayer employee will send the TXT record that needs to be added for the domain|| SmartPlayer employee
-
| Adding a TXT record for the domain || Add the TXT record for the domain || Domain administrator (organization employee)
|-
|-
| Добавление TXT записи для домена || Добавить TXT запись для домена || Администратор домена (сотрудник организации)
| Creating a certificate chain || A certificate chain is created for installation on the server application|| SmartPlayer employee
|-
|-
| Создание цепочки сертификатов || Создается цепочка сертификатов для установки на серверном приложении || Сотрудник SmartPlayer
| Sending the archive (root certificate, certificate chain, private key) || Sending the archive with certificate data || SmartPlayer employee
|-
| Отправка архива с (корневым сертификатов, цепочкой сертификатов, приватным ключом) || Отправка архива с данными по сертификату || Сотрудник SmartPlayer
|}
|}
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
# The cost of the service is approximately 3000 rubles (includes the purchase of the certificate). Post-payment. The cost may vary, please check with the sales department.
# Стоимость услуги примерно 3000р (включает покупку сертификата). Постоплата. Стоимость может меняться, уточняйте в отделе продаж.  
# The certificate will be valid for one year from the date of issuance.
# Сертификат будет действовать - один год с момента выпуска.  
=== If the server application and the personal account use the same domain, one certificate is sufficient. If different domains are used, two certificates need to be purchased. ===  
=== Если серверное приложение и личный кабинет используют один домен, то достаточно одного сертификата. Если разные домены то нужно покупать 2 сертификата. ===
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
Example of a single domain for the personal account and server application:
Пример одного домена для личного кабинета и серверного приложения:  
# https://develop.smartplayer.org - server application
# https://develop.smartplayer.org - серверное приложение
# https://develop.smartplayer.org/cms/ - personal account
# https://develop.smartplayer.org/cms/ - личный кабинет
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
Example of two domains for the personal account and server application:
Пример двух доменов для личного кабинета и серверного приложения:  
# https://api.smartplayer.org - серверное приложение
# https://api.smartplayer.org - серверное приложение
# https://cms.smartplayer.org - личный кабинет
# https://cms.smartplayer.org - личный кабинет
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
This does not affect the operation of the applications in any way; you can choose any option for hosting the platform.
На работу приложений это никак не влияет, можно выбрать любой вариант размещения платформы.
</div>

Текущая версия от 09:59, 5 июня 2024

Другие языки:

Introduction

The use of SSL certificates allows for a secure connection over the HTTPS protocol between participants when working with software. This guide describes how to configure the components of the SmartPlayer platform to work with SSL certificates.

  • When purchasing a cloud server - no configuration is required. Everything is set up and working.
  • When purchasing a local server - certificates will need to be issued and the SmartPlayer platform will need to be configured. This case will be discussed further in the guide.

Certification Authorities

There are 2 types of certification authorities:

  1. Certificates issued by widely accepted public certification authorities - These are certificates issued by public companies (such as GlobalSign, Comodo, etc.). The issuance of a certificate signed by such a certification authority is a paid service.
  2. Self-signed certificates - These are certificates issued by a private (personal) certification authority. A private certification authority in a company is usually maintained by the IT department. Certificates issued by such an authority can be used for various purposes, they are free and can be created independently. Large companies sometimes create their own private certification authority infrastructure and issue certificates signed by it.

Types of Certificates

Theory on types of certificates. The simplified classification of SSL includes the following options:

  1. Extended Validation Certificate: ExtendedSSL (EV SSL). This is the latest and possibly the most significant development in SSL technology since its introduction. This solution complies with standardized extended validation guidelines. New high-security browsers such as Microsoft Internet Explorer 7+, Opera 9.5+, Firefox 3+, Google Chrome, Apple Safari 3.2+, and iPhone Safari 3.0+ recognize ExtendedSSL certificates as extended validation (EV) certificates. This is relevant for clients who want to declare the highest level of authentication.
  2. Organization Validated Certificate: OrganizationSSL (OV SSL). GlobalSign has been issuing organization validated certificates for 15 years. Information about companies applying for an OrganizationSSL certificate is thoroughly verified before the certificate is issued.
  3. Domain Validated Certificate: DomainSSL (DV SSL). DomainSSL certificates are fully supported and recognized by browsers, just like OrganizationSSL certificates, but they have one advantage — they are issued almost instantly and without the need to send company documents for verification. This makes DomainSSL an ideal offer for an organization that needs to obtain an SSL certificate urgently, without additional costs and without the effort of sending company documents for verification.

Certificate Chains

Issuing a certificate implies not just one certificate file, but a chain of certificates that need to be obtained:

  • Root SSL Certificate, CA Certificate — This is an electronic document that certification authorities use to sign SSL certificates upon issuance. The root certificate, often called a trusted root certificate, is at the heart of the trust model that supports SSL/TLS.

Each browser contains a root store. Some browsers operate independently, while others use a third-party certificate store. The root certificate store is a set of preloaded root certificates that are on the device. The root certificate is invaluable because browsers automatically trust a certificate signed with a trusted root certificate. Trusted roots belong to Certification Authorities (e.g., Comodo, Thawte, Geotrust, GlobalSign, Symantec, etc.) - organizations that verify and issue SSL certificates.

  • Intermediate Certificate - Certification Authorities (CAs) do not issue end-user SSL certificates directly from their Root Certificate. This would be risky because, in the case of improper issuance or an error, the Root Certificate would be revoked, and every issued certificate that was signed using that Root Certificate would immediately become "Untrusted".

Therefore, to protect themselves, CAs usually issue what is called an "Intermediate Certificate". The Certification Authority signs the Intermediate Certificate with its private key, which makes it "Trusted". The CA then uses the private key of the Intermediate Certificate to sign end-user SSL certificates. This process can be repeated several times, where an intermediate root signs another intermediate link, and then the CA uses this to sign the certificate.

  • SSL Certificate - A unique certificate issued for the domain name of a web application.

Certificate Issuance

Depending on which certification authority will be used, the issuance process differs.

  • "Certificates issued by widely accepted public certification authorities" - You can find any site on the internet (for example, reg.ru / firstssl.ru and countless others) that deals with the issuance of certificates from the required certification authority (for example, GlobalSign). Each site has a personal account/instructions on how to issue certificates.
  • "Self-signed certificates" - Contact your company's IT department.
Follow these guidelines from SmartPlayer for issuing certificates
Recommendation Reason for recommendation
Buy certificates issued by a "commonly accepted public certification authority"

Reason for recommendation: The SmartPlayer platform is cross-platform, meaning client applications work on all operating systems (AndroidOS/WebOS/TizenOS/Windows/Linux/Raspberry Pi, etc.). This means that all operating systems must trust the certification authority that issued the certificates by default. Even if the current project only uses Android OS, it doesn't mean that the procurement department won't buy devices on TizenOS in a year. Use a certification authority trusted by the maximum number of device manufacturers.

Buy certificates from GlobalSign

Reason for recommendation: A global certification authority trusted by all device manufacturers worldwide. The widest coverage of devices from manufacturers. SmartPlayer uses a certificate from this certification authority. For example, Samsung/LG - South Korea, BrightSign - UK, Android OS - countless different manufacturers, and they all trust GlobalSign.

Do not use private certification authorities Reason for recommendation: No device trusts private certification authorities. To launch https, you will need to add the certificate to the device's certificate store manually. And if there are more than 50 devices in the project? This already becomes a lot of routine manual work.
The SmartPlayer platform does not yet support the loading of user certificates through the SmartPlayer personal account. This will be improved in the future, but there will not be a universal solution for all operating systems. There are manufacturer restrictions, for example, TizenOS does not provide an API for loading certificates as of May 30, 2024. Do not take unnecessary risks, use certificates from public certification authorities.
Which type of certificate to choose? Reason for recommendation: Use DomainSSL (DV SSL). It is the cheapest and quickest to issue for ensuring work over the https protocol.

Configuring the SmartPlayer Platform

To ensure the correct operation of the "https" protocol using SSL certificate(s), the following platform components need to be configured:

  • The server application and the SmartPlayer personal account
  • SmartPlayer client applications

By this point, you should have three certificates and a private key:

  • Root SSL certificate, CA certificate (for example, in this guide we will call it: rootCA.crt)
  • Intermediate certificate (for example, in this guide we will call it: intermediateCA.crt)
  • SSL certificate (for example, in this guide we will call it: server-sp.crt)
  • SSL private key (for example, in this guide we will call it: server-sp.key)

Configuring the SmartPlayer Server Application (and Personal Account)

Create a certificate chain from the "intermediate certificate" and the "SSL certificate" by combining them into one file. There are different ways to do this:

  1. Open any text editor and paste the content of the "intermediate certificate" file first, then paste the content of the "SSL certificate" file without any spaces from the next line. Save the resulting text document with the *.crt extension.
  2. When working in Linux, simply execute the command: cat intermediateCA.crt server-sp.crt > server-sp-chain.crt

As a result, we have the file server-sp-chain.crt, which contains both certificates. If you open the file in a special certificate management program (https://keystore-explorer.org/), you will see the following hierarchical structure.


  1. Upload the certificate chain (server-sp-chain.crt) and the private key (server-sp.key) to the server using any convenient method. Commonly used programs for this include:
    1. WinScp - https://winscp.net/eng/
    2. FileZilla - https://filezilla-project.org/
    3. Sftp / scp - usually come with the operating system
  2. Find the path (if you don't know it) where the SmartPlayer platform is installed on the server, by default it is "/home/smartplayer/smartplayer"
  3. Move the files server-sp-chain.crt and server-sp.key to the certificate folder, by default this is "/home/smartplayer/smartplayer/nginx/ssl". By default, in the nginx configuration provided by SmartPlayer, the file names are: ssl.crt (certificate chain) and ssl_private.key (private key). Use these names for your files to avoid rewriting the nginx web server configuration files.
  4. Check the nginx configuration to ensure the files are accessible to the web server, by running the command: docker exec -it smartplayer_web_1 sh inside the container nginx -t. The output should be:
  1. Reload the nginx configuration by running the command: docker exec -it smartplayer_web_1 sh inside the container nginx -s reload
  2. The installation of the certificate on the SmartPlayer server application is now complete. To verify, open the URL of the personal account or server application in the browser. If you used certificates issued by a "common public certification authority," you will immediately see a secure connection (green lock to the left of the address). If you used "self-signed certificates," you will see an insecure connection in the browser, as it does not trust the certificate.
The configuration of the personal account fully replicates the steps described in this section. The personal account uses similar paths to the certificates to establish an HTTPS connection. No additional configuration is required if the default nginx configuration files are used. In closed networks, a solution is used where the personal account and server application are on the same domain, in almost 100% of cases.

Configuring SmartPlayer Client Applications

  1. If you used a certificate issued by a "public certification authority" from GlobalSign, adding certificates to the end devices is not necessary, and the HTTPS connection between the client application and the server application should immediately open. The client application will display a registration code upon first access.
  2. If you issued a certificate from a private certification authority, you need to add the rootCA.crt to the device's certificate store. Each operating system handles this differently; instructions can be found on the Internet. After adding the certificate, restart the device, and the HTTPS connection should open.

Separate instructions for operating systems on how to add custom certificates:

  1. Installing_Certificates_for_Android_OS
  2. TizenOS - does not support the installation of certificates issued by a private certification authority. You need to use certification authorities from the list

SSSP#Поддержка_HTTPS_(сертификаты)

Troubleshooting

Trust anchor for certification path not found

Errors on Android OS
Operating System Cause of Error Error Fix
Android OS The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application Add the root certificate of the certification authority to the user certificates on the device. General instructions Installing_Certificates_for_Android_OS. A device reboot may be required after installation, depending on the device firmware.
Android OS The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application, but the certificate is installed in the device's certificate store Update the client application to version v1.70.2 or higher

Connection error ${server address} {"type":"TransportError", "description":{"isTrusted"}}

Erorrs on TizenOS/WebOS/BrightSignOS
Operating system Cause of Error Error Fix
WebOS The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application Add the root certificate of the certification authority to the user certificates on the device in the WebOS system menu. A device reboot may be required after installation, depending on the device firmware.
TizenOS The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application It is not possible to add the root certificate of the certification authority to the user certificates on the device. Issue the certificate with a certification authority that the device trusts by default. Use the certification authorities from the list SSSP#Support_HTTPS_(certificates).
BrightSignOS The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application. nstructions on how to import the root certificate into the device (not tested by us) can be found at: https://support.brightsign.biz/hc/en-us/articles/360024205233-How-do-I-display-a-webpage-that-requires-a-client-certificate. Access via VPN/Proxy, as it is not accessible from a Russian IP.

Bad line при проверки конфигурации nginx

This error occurs when the certificate chain is created incorrectly, at the junction of certificates. Open the certificate chain file in any text editor (sublim/atom/editor/notepad++, etc.) and make a line break at the beginning of the next certificate. Incorrect

Correct

Test in the SmartPlayer Testing Infrastructure

SmartPlayer offers a testing environment where you can test the interaction between the SmartPlayer server application and client application over HTTPS with certificates issued by a private certification authority.

  1. Server application: https://self-certificate-api.smartplayer.org/
  2. Personal area: https://self-certificate.smartplayer.org/

When opening the URL in the browser, there will be a certificate error. The browser on your computer does not trust the private certification authority issued by SmartPlayer.

To make the browser trust the certificate signed by a private certification authority, add the root certificate to the browser's user certificate store. Each browser has its own section for this, but most often these settings can be found in the security section.


Download and add the certificate https://instructions.hb.ru-msk.vkcs.cloud/rootCA_sp_2024.crt


Added certificate to browser storage

Added certificate to browser storage

Restart the page

  1. https://self-certificate.smartplayer.org/
  2. https://self-certificate-api.smartplayer.org/

Server application

Personal area

Now it is clear that the browser trusts our certificate signed by the private certification authority. If you need to test any client application, request a build on the server https://self-certificate-api.smartplayer.org/ for testing from the company's manager.

Certificate Issuance by SmartPlayer Employees

SmartPlayer can issue a certificate for a project, but this requires the participation of the domain administrator for which the certificate will be issued. To start the certificate issuance process, you need to obtain the domain name for which the certificate needs to be issued (for example, api.smartplayer.org/cms.smartplayer.org).

Issuing a certificate using a SmartPlayer employee
Step name Description of actions Responsible
Buy a GlobalSign certificate on the reg.ru website Purchase a DomainSSL level certificate SmartPlayer employee
Sending TXT record A SmartPlayer employee will send the TXT record that needs to be added for the domain SmartPlayer employee

-

Adding a TXT record for the domain Add the TXT record for the domain Domain administrator (organization employee)
Creating a certificate chain A certificate chain is created for installation on the server application SmartPlayer employee
Sending the archive (root certificate, certificate chain, private key) Sending the archive with certificate data SmartPlayer employee
  1. The cost of the service is approximately 3000 rubles (includes the purchase of the certificate). Post-payment. The cost may vary, please check with the sales department.
  2. The certificate will be valid for one year from the date of issuance.

If the server application and the personal account use the same domain, one certificate is sufficient. If different domains are used, two certificates need to be purchased.

Example of a single domain for the personal account and server application:

  1. https://develop.smartplayer.org - server application
  2. https://develop.smartplayer.org/cms/ - personal account

Example of two domains for the personal account and server application:

  1. https://api.smartplayer.org - серверное приложение
  2. https://cms.smartplayer.org - личный кабинет

This does not affect the operation of the applications in any way; you can choose any option for hosting the platform.