Table of Contents
- Why do I need an SSL Certificate?
- Obtaining an SSL Certificate:
- Install your SSL Certificate
- Bind your SSL Certificate
- Redirect HTTP to HTTPS
- Test the SnapStream interface
1. Why do I need an SSL Certificate?
What is SSL? SSL is an acronym for Secure Sockets Layer, an encryption technology. SSL will create an encrypted connection between SnapStream and users' web browsers, allowing for private information to be transmitted without the problems of eavesdropping, data tampering, or message forgery. It uses public key cryptography to establish a secure connection. The use of an SSL certificate on a website is usually indicated by a padlock icon in web browsers but it can also be indicated by a green address bar or other indicators. Websites using SSL will use the prefix HTTPS:// instead of HTTP://. When an SSL certificate is installed on a website, you can be sure that the information you enter, is secure.
In order to use the SSL protocol with SnapStream, an SSL certificate is required. SSL certificates are provided by Certificate Authorities (CAs) or can be self-created.
2. Obtaining an SSL Certificate:
There are several SSL Certificates that you can use. The most recommended way is to get a Commercially signed SSL Certificate from a certificate authority. A certificate authority is an entity that issues digital certificates to organizations or people after validating them. Certification authorities have to keep detailed records of what has been issued and the information used to issue it and are audited regularly to make sure that they are following defined procedures. Every certification authority provides a Certification Practice Statement (CPS) that defines the procedures that will be used to verify applications. There are many commercial CAs that charge for their services (GoDaddy, Comodo, etc). Institutions and governments may have their own CAs.
An SSL certificate has multiple purposes: distributing the public key and, when signed by a trusted third-party, verifying the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person. A Self Signed Certificate is a certificate that is signed by itself rather than a trusted third party. This means you can't verify that you are connecting to the right server because any attacker can create a self-signed certificate and launch a man-in-the-middle attack. Because of this, you should almost never use a self-signed certificate if your Enterprise TV server has access to the internet.
A. Commercially signed SSL Certificate. (Recommended way)
This process will show you how to order an SSL certificate from a commercial certificate authority.
Create the Certificate Signing Request
The first step in ordering an SSL certificate is generating a Certificate Signing Request. This is very easy to do in IIS7 using the following instructions.
- Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
- Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.
- In the Actions column on the right, click on Create Certificate Request...
- Enter all of the following information about your company and the domain you are securing and then click Next.
Field title Description
ExampleCommon Name The fully qualified domain name (FQDN) of your server. This must match exactly what you type in your web browser or you will receive a name mismatch error.
snapstream-dvr.snapstream.com
Organization The legal name of your organization. This should not be abbreviated and should include suffixes such as Inc, Corp, or LLC. SnapStream Media
Organizational Unit The division of your organization handling the certificate. (Most certificate authorities don't validate this field) Information Technology City/locality
The city where your organization is located. Houston
State/province
The state/region where your organization is located. This shouldn't be abbreviated.
Texas Country/Region
The two-letter ISO code for the country where your organization is located. US - Leave Cryptographic Service Provider at the default option. Increase the Bit length to 2048 bit or higher. Click Next.
- Click the button with the three dots and enter a location and filename where you want to save the CSR file. Click Finish.
Once you have generated a CSR you can use it to order the certificate from a certificate authority.
B. IIS Self-signed SSL Certificate.
A word about certificate signing:
An SSL certificate has multiple purposes: distributing the public key and, when signed by a trusted third-party, verifying the identity of the server so clients know they aren’t sending their information (encrypted or not) to the wrong person. A self-signed certificate is a certificate that is signed by itself rather than a trusted third party. This means that the identity of the server is not independently verified. Because of this, it is recommended to use a commercially signed certificate on any server that is exposed to the public internet.
How to generate a self-signed IIS Certificate
- Click on the Start menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
- Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.
- In the Actions column on the right, click on Create Self-Signed Certificate...
- Enter any friendly name and then click OK.
You will now have an IIS Self Signed Certificate valid for 1 year listed under Server Certificates. The certificate common name (Issued To) is the server name. Now we just need to bind the self-signed certificate to the IIS site.
3. Install your SSL Certificate.
Install the Certificate
To install your newly acquired SSL certificate in IIS 7, first copy the file somewhere on the server and then follow these instructions:
- From the Control Panel menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
- Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.
- In the Actions column on the right, click on Complete Certificate Request...
- Click the button with the three dots and select the server certificate that you received from the certificate authority. If the certificate doesn't have a .cer file extension, select to view all types. Enter any friendly name you want so you can keep track of the certificate on this server. Click OK.
- If successful, you will see your newly installed certificate in the list. If you receive an error stating that the request or private key cannot be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on. If you are sure of those two things, you may just need to create a new Certificate Request and reissue/replace the certificate. Contact your certificate authority if you have problems with this.
4. Bind your SSL Certificate.
Bind the Self Signed Certificate
- In the Connections column on the left, expand the Sites folder and click on the website that you want to bind the certificate to. Click on Bindings... in the right column.
- Click on the Add... button.
- Change the Type to https and then select the SSL certificate that you just installed. Click OK.
- You will now see the binding for port 443 listed. Click Close.
- Now let's test the IIS self-signed certificate by going to the site with https in our browser (e.g. https://site1.mydomain.com). When you do, you should see the following warning stating that "The security certificate presented by this website was issued for a different website's address" (a name mismatch error).
This is displayed because IIS always uses the server's name as the common name when it creates a self-signed certificate. This typically doesn't match the hostname that you use to access the site in your browser. For many situations where IIS self-signed certificates are used, this isn't a problem. Just click "Continue to this web site" each time. However, if you want to completely get rid of the error messages, you'll need to follow the next two steps below.
5. Redirect HTTP to HTTPS
- Access the SnapStream interface and navigate to Admin=> Settings=> Misc (Shown here: http://helpconsole.com/SnapStreamHelp/default.aspx#pageid=misc)
- Under the Web Redirect section, change "Protocol For Redirect Links" to https. If desired, you can force users to use SSL when accessing this interface using the "Force Redirect to HTTPS" option
- Click Save
6. Test the Web interface with the Certificate.
Test SSL by opening the Web Admin using https instead of http. You should see a "lock" icon in your browser, indicating that the site uses SSL encryption.
Make sure that client systems, can playback content. If client systems run into problems with playing back content specifically, it may be necessary to adjust the Machine Name in the SnapStream software to match the FQDN that the certificate was issued to (for example, SnapStream-DVR vs SnapStream-DVR.mydomain.com).
The Machine Name in the SnapStream software can be adjusted by signing into the SnapStream WebUI => Admin => Machine (under Settings on the left). Adjust the Machine Name to the FQDN that the cert was issued to. Then click save and try playback again.
If desired, users can be forced to use an HTTPS connection using the Web Redirect settings, on the Miscellaneous Settings page of the SnapStream interface. This can be accessed by signing into the SnapStream WebUI => Admin => Misc. (under settings on the left).