Ssl-certificate
Introduction
The use of SSL certificates allows for a secure connection over the HTTPS protocol between participants when working with software. This guide describes how to configure the components of the SmartPlayer platform to work with SSL certificates.
- When purchasing a cloud server - no configuration is required. Everything is set up and working.
- When purchasing a local server - certificates will need to be issued and the SmartPlayer platform will need to be configured. This case will be discussed further in the guide.
Certification Authorities
There are 2 types of certification authorities:
- Certificates issued by widely accepted public certification authorities - These are certificates issued by public companies (such as GlobalSign, Comodo, etc.). The issuance of a certificate signed by such a certification authority is a paid service.
- Self-signed certificates - These are certificates issued by a private (personal) certification authority. A private certification authority in a company is usually maintained by the IT department. Certificates issued by such an authority can be used for various purposes, they are free and can be created independently. Large companies sometimes create their own private certification authority infrastructure and issue certificates signed by it.
Types of Certificates
Theory on types of certificates. The simplified classification of SSL includes the following options:
- Extended Validation Certificate: ExtendedSSL (EV SSL). This is the latest and possibly the most significant development in SSL technology since its introduction. This solution complies with standardized extended validation guidelines. New high-security browsers such as Microsoft Internet Explorer 7+, Opera 9.5+, Firefox 3+, Google Chrome, Apple Safari 3.2+, and iPhone Safari 3.0+ recognize ExtendedSSL certificates as extended validation (EV) certificates. This is relevant for clients who want to declare the highest level of authentication.
- Organization Validated Certificate: OrganizationSSL (OV SSL). GlobalSign has been issuing organization validated certificates for 15 years. Information about companies applying for an OrganizationSSL certificate is thoroughly verified before the certificate is issued.
- Domain Validated Certificate: DomainSSL (DV SSL). DomainSSL certificates are fully supported and recognized by browsers, just like OrganizationSSL certificates, but they have one advantage — they are issued almost instantly and without the need to send company documents for verification. This makes DomainSSL an ideal offer for an organization that needs to obtain an SSL certificate urgently, without additional costs and without the effort of sending company documents for verification.
Certificate Chains
Issuing a certificate implies not just one certificate file, but a chain of certificates that need to be obtained:
- Root SSL Certificate, CA Certificate — This is an electronic document that certification authorities use to sign SSL certificates upon issuance. The root certificate, often called a trusted root certificate, is at the heart of the trust model that supports SSL/TLS.
Each browser contains a root store. Some browsers operate independently, while others use a third-party certificate store. The root certificate store is a set of preloaded root certificates that are on the device. The root certificate is invaluable because browsers automatically trust a certificate signed with a trusted root certificate. Trusted roots belong to Certification Authorities (e.g., Comodo, Thawte, Geotrust, GlobalSign, Symantec, etc.) - organizations that verify and issue SSL certificates.
- Intermediate Certificate - Certification Authorities (CAs) do not issue end-user SSL certificates directly from their Root Certificate. This would be risky because, in the case of improper issuance or an error, the Root Certificate would be revoked, and every issued certificate that was signed using that Root Certificate would immediately become "Untrusted".
Therefore, to protect themselves, CAs usually issue what is called an "Intermediate Certificate". The Certification Authority signs the Intermediate Certificate with its private key, which makes it "Trusted". The CA then uses the private key of the Intermediate Certificate to sign end-user SSL certificates. This process can be repeated several times, where an intermediate root signs another intermediate link, and then the CA uses this to sign the certificate.
- SSL Certificate - A unique certificate issued for the domain name of a web application.
Certificate Issuance
Depending on which certification authority will be used, the issuance process differs.
- "Certificates issued by widely accepted public certification authorities" - You can find any site on the internet (for example, reg.ru / firstssl.ru and countless others) that deals with the issuance of certificates from the required certification authority (for example, GlobalSign). Each site has a personal account/instructions on how to issue certificates.
- "Self-signed certificates" - Contact your company's IT department.
Recommendation | Reason for recommendation |
---|---|
Buy certificates issued by a "commonly accepted public certification authority"
Reason for recommendation: The SmartPlayer platform is cross-platform, meaning client applications work on all operating systems (AndroidOS/WebOS/TizenOS/Windows/Linux/Raspberry Pi, etc.). This means that all operating systems must trust the certification authority that issued the certificates by default. Even if the current project only uses Android OS, it doesn't mean that the procurement department won't buy devices on TizenOS in a year. Use a certification authority trusted by the maximum number of device manufacturers. | |
Buy certificates from GlobalSign
Reason for recommendation: A global certification authority trusted by all device manufacturers worldwide. The widest coverage of devices from manufacturers. SmartPlayer uses a certificate from this certification authority. For example, Samsung/LG - South Korea, BrightSign - UK, Android OS - countless different manufacturers, and they all trust GlobalSign. | |
Do not use private certification authorities
Reason for recommendation: No device trusts private certification authorities. To launch https, you will need to add the certificate to the device's certificate store manually. And if there are more than 50 devices in the project? This already becomes a lot of routine manual work. The SmartPlayer platform does not yet support the loading of user certificates through the SmartPlayer personal account. This will be improved in the future, but there will not be a universal solution for all operating systems. There are manufacturer restrictions, for example, TizenOS does not provide an API for loading certificates as of May 30, 2024. Do not take unnecessary risks, use certificates from public certification authorities.}} | |
Which type of certificate to choose? | Reason for recommendation: Use DomainSSL (DV SSL). It is the cheapest and quickest to issue for ensuring work over the https protocol. |
Configuring the SmartPlayer Platform
To ensure the correct operation of the "https" protocol using SSL certificate(s), the following platform components need to be configured:
- The server application and the SmartPlayer personal account
- SmartPlayer client applications
By this point, you should have three certificates and a private key:
- Root SSL certificate, CA certificate (for example, in this guide we will call it: rootCA.crt)
- Intermediate certificate (for example, in this guide we will call it: intermediateCA.crt)
- SSL certificate (for example, in this guide we will call it: server-sp.crt)
- SSL private key (for example, in this guide we will call it: server-sp.key)
Configuring the SmartPlayer Server Application (and Personal Account)
Create a certificate chain from the "intermediate certificate" and the "SSL certificate" by combining them into one file. There are different ways to do this:
- Open any text editor and paste the content of the "intermediate certificate" file first, then paste the content of the "SSL certificate" file without any spaces from the next line. Save the resulting text document with the *.crt extension.
- When working in Linux, simply execute the command:
cat intermediateCA.crt server-sp.crt > server-sp-chain.crt
As a result, we have the file server-sp-chain.crt, which contains both certificates. If you open the file in a special certificate management program (https://keystore-explorer.org/), you will see the following hierarchical structure.
- Upload the certificate chain (server-sp-chain.crt) and the private key (server-sp.key) to the server using any convenient method. Commonly used programs for this include:
- WinScp - https://winscp.net/eng/
- FileZilla - https://filezilla-project.org/
- Sftp / scp - usually come with the operating system
- Find the path (if you don't know it) where the SmartPlayer platform is installed on the server, by default it is "/home/smartplayer/smartplayer"
- Move the files server-sp-chain.crt and server-sp.key to the certificate folder, by default this is "/home/smartplayer/smartplayer/nginx/ssl". By default, in the nginx configuration provided by SmartPlayer, the file names are: ssl.crt (certificate chain) and ssl_private.key (private key). Use these names for your files to avoid rewriting the nginx web server configuration files.
- Check the nginx configuration to ensure the files are accessible to the web server, by running the command:
docker exec -it smartplayer_web_1 sh
inside the containernginx -t
. The output should be:
- Reload the nginx configuration by running the command:
docker exec -it smartplayer_web_1 sh
inside the containernginx -s reload
- The installation of the certificate on the SmartPlayer server application is now complete. To verify, open the URL of the personal account or server application in the browser. If you used certificates issued by a "common public certification authority," you will immediately see a secure connection (green lock to the left of the address). If you used "self-signed certificates," you will see an insecure connection in the browser, as it does not trust the certificate.
Configuring SmartPlayer Client Applications
- If you used a certificate issued by a "public certification authority" from GlobalSign, adding certificates to the end devices is not necessary, and the HTTPS connection between the client application and the server application should immediately open. The client application will display a registration code upon first access.
- If you issued a certificate from a private certification authority, you need to add the rootCA.crt to the device's certificate store. Each operating system handles this differently; instructions can be found on the Internet. After adding the certificate, restart the device, and the HTTPS connection should open.
Separate instructions for operating systems on how to add custom certificates:
- Installing_Certificates_for_Android_OS
- TizenOS - does not support the installation of certificates issued by a private certification authority. You need to use certification authorities from the list
SSSP#Поддержка_HTTPS_(сертификаты)
Troubleshooting
Trust anchor for certification path not found
Operating System | Cause of Error | Error Fix |
---|---|---|
Android OS | The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application | Add the root certificate of the certification authority to the user certificates on the device. General instructions Installing_Certificates_for_Android_OS. A device reboot may be required after installation, depending on the device firmware. |
Android OS | The device does not trust the certification authority that issued the certificate installed on the SmartPlayer server application, but the certificate is installed in the device's certificate store | Update the client application to version v1.70.2 or higher |
Ошибка подключения ${адрес сервера} {"type":"TransportError", "description":{"isTrusted":true}}
Операционная система | Причина ошибки | Исправление ошибки |
---|---|---|
WebOS | Устройство не доверяет центру сертификации, который выпустил сертификат, установленный на серверном приложении SmartPlayer | Добавить корневой сертификат центра сертификации в пользовательские сертификаты на устройстве в системном меню WebOS. Возможно, после установки потребуется перезагрузка устройства. Зависит от прошивки устройства. |
TizenOS | Устройство не доверяет центру сертификации, который выпустил сертификат, установленный на серверном приложении SmartPlayer | Добавить корневой сертификат центра сертификации в пользовательские сертификаты на устройстве нет возможности. Выпускать сертификат центром сертификации, которому доверяет устройство по умолчанию. Нужно использовать центры сертификации из списка SSSP#Поддержка_HTTPS_(сертификаты) |
BrightSignOS | Устройство не доверяет центру сертификации, который выпустил сертификат установленный на серверном приложении SmartPlayer. | Инструкция как импортировать корневой сертификат в устройство (сами не проверяли) https://support.brightsign.biz/hc/en-us/articles/360024205233-How-do-I-display-a-webpage-that-requires-a-client-certificate Открывать под VPN/Proxy, из-под российского IP не открывается. |
Bad line при проверки конфигурации nginx
Ошибка возникает, когда цепочка сертификатов создана неправильно, на стыке сертификатов. Откройте файл цепочки сертификатов в любом текстовом редакторе (sublim/atom/editor/notepad++ и т.п.) и сделайте переход на следующую строчку, при начале следующего сертификата.
Неправильно
Правильно
Протестировать в тестовой инфраструктуре SmartPlayer
У компании SmartPlayer есть тестовая среда, где вы можете протестировать взаимодействие по https серверного приложения и клиентского приложения SmartPlayer c сертификатами, выпущенными частным центром сертификации.
- Серверное приложение: https://self-certificate-api.smartplayer.org/
- Личный кабинет: https://self-certificate.smartplayer.org/
При открытии url в браузере будет ошибка сертификата. Браузер на вашем компьютере не доверяет частному центру сертификации который выпущен компанией SmartPlayer.
Для того, чтобы браузер стал доверять сертификату, который подписан частным центром сертификации добавьте корневой сертификат в центр хранения пользовательских сертификатов браузера. В каждом браузере свой раздел отвечает за это, но чаще всего эти настройки в разделе - безопасность.
Скачиваем и добавляем сертификат https://instructions.hb.ru-msk.vkcs.cloud/rootCA_sp_2024.crt
Добавленный сертификат в хранилище браузера
Добавленный сертификат
Обновить страницу
Серверное приложение
Личный кабинет
Теперь видно, что браузер доверяет нашему сертификату, который подписан частным центром сертификации. если нужно протестировать любое клиентское приложение, запросите сборку его на сервер https://self-certificate-api.smartplayer.org/ для тестирования у менеджера компании.
Выпуск сертификата сотрудниками SmartPlayer
SmartPlayer можем выпустить сертификат для проекта, но для этого требуется участие администратора домена, на который будет выпущен сертификат. Для начала выпуска сертификата нужно получить название домена на который нужно выпускать сертификат (например api.smartplayer.org/cms.smartplayer.org).
Наименование шага | Описание действий | Ответственные |
---|---|---|
Купить сертификат GlobalSign на сайте reg.ru | Покупка сертификата уровня DomainSSL | Сотрудник SmartPlayer |
Отправка TXT записи | Сотрудник SmartPlayer отправит TXT запись которую нужно будет добавить для домена | Сотрудник SmartPlayer |
Добавление TXT записи для домена | Добавить TXT запись для домена | Администратор домена (сотрудник организации) |
Создание цепочки сертификатов | Создается цепочка сертификатов для установки на серверном приложении | Сотрудник SmartPlayer |
Отправка архива с (корневым сертификатов, цепочкой сертификатов, приватным ключом) | Отправка архива с данными по сертификату | Сотрудник SmartPlayer |
- Стоимость услуги примерно 3000р (включает покупку сертификата). Постоплата. Стоимость может меняться, уточняйте в отделе продаж.
- Сертификат будет действовать - один год с момента выпуска.
Если серверное приложение и личный кабинет используют один домен, то достаточно одного сертификата. Если разные домены то нужно покупать 2 сертификата.
Пример одного домена для личного кабинета и серверного приложения:
- https://develop.smartplayer.org - серверное приложение
- https://develop.smartplayer.org/cms/ - личный кабинет
Пример двух доменов для личного кабинета и серверного приложения:
- https://api.smartplayer.org - серверное приложение
- https://cms.smartplayer.org - личный кабинет
На работу приложений это никак не влияет, можно выбрать любой вариант размещения платформы.