SSL Certificates content and format

The certificate that is requested during the installation of Veridium Server has a great importance:

  1. It will allow Veridium Service to work in the domain/domains of customer infrastructure as a trusted platform

  2. It will allow the usage of iOS and Android Devices with Veridium Service inside on-prem setup’s

  3. It will establish a trusted communication during the installation of the components stack used inside Veridium Service


The Veridium Server installer accepts multiple types of certificates:

  1. W686

  2. ildcard type

  3. e.g: *.veridium-dev.com
    where is every subdomain/suffix of server existing in the domain
    .veridium-dev.com is the domain name

  4. subdomain

  5. multidomain

  6. single domain

We recomand buying a valid globaly SSL certificate instead of self-signed Certificate. Using a self-signed certificate will require configuring manually to trust the root CA that generated the certificate.

When using a certificate issued from an internal WINDOWS CA, wildcard will cause issues for OPA service. The workaround is to issue the certificate with proper SAN for your service ( WIP to resolve)


Request your certificate with csr values accordingly to your organization information

Depending on the deployment, Veridium service will be working either by:
Port Mapping - a single DNS record needs to be performed for accesing the server

e.g: vid.domain.com ( which includes endpoints like vid.domain.com:9987/ssp )
SNI Mapping - Multiple unique DNS records are required inside the certificate

After aquiring the certificate, make sure you have the files either in pem format or .p12 format:

  • PEM format:

    • one file will contain the certificate and chain .pem extension together (No empty lines between them)

    • one will contain the private key with .pem extension

  • .P12 format which contains:

    • Root CA

      • one or more intermediate cert

        • SSL certificate + Private Key

Example:

PEM format

.P12 format

certificate.pem example:
 
-----BEGIN CERTIFICATE-----
MIIGQTCCBSXXXXXXocqP
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGEzCCA/ugAwIBMFgK
00u/I5sUKUErmgQfky3xxzlIPK1aEn8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIF3jCCA8agAwIBnKkKj9
-----END CERTIFICATE-----

This format is available after is created from
Root CA
one or multiple intermediate cert
SSL certificate & Private Key
 
Examples:
ROOT.crt
-----BEGIN CERTIFICATE-----
MIIEMjCCAxqYbg==
-----END CERTIFICATE-----
IntermediateCACertificate.crt
-----BEGIN CERTIFICATE-----
MIIGGTCCBAGgAYYaA7jBU=
-----END CERTIFICATE-----
SSLWILDCARD.crt
-----BEGIN CERTIFICATE-----
MIIGpDCCBYygAiXJKYiog
-----END CERTIFICATE-----
PrivateKey.key
-----BEGIN PRIVATE KEY-----
MIIEvgIBADN+gfdgfxbYRP
-----END PRIVATE KEY-----

privatekey.pem example:
 
-----BEGIN PRIVATE KEY-----
MIIEvgIYRP
-----END PRIVATE KEY-----

password is required once the .p12 is created

After obtaining the certificate, make sure you clear the lines spaces from your certificate

Not OK

OK

image-20230328-160735.png


image-20230328-160739.png


We accept encyption up until RSA 4096

Create certificate for Deployment - CONVERT instead !!

Files received when certificate is acquired: certificate.crt CertificateBundle ( chain of certificates) private.key
Edit certificate.crt and include files from CertificateBundle
Transfer to machine with openssl

PFX:

  1. openssl pkcs12 -export -out *.veridium-poc.pfx -inkey private.key -in certificate.crt

  2. type password

  3. output file will be *.veridium-poc.pfx (or similar)

PEM:

  1. openssl x509 -inform PEM -in certificate.crt > certificate.pem

  2. openssl rsa -in private.key -text > private.pem