Users can automatically create Let's Encrypt SSL certificates for their ISL Conference Proxy with SSL Module which was introduced to ISL Conference Proxy in version 4.4.2210.45. We encourage our users to use this module to obtain SSL certificates for their ISL Conference Proxy. Please check our guide here to learn how to use SSL module.
Additionally there are two manual ways to enable SSL on your ISL Conference Proxy server:
- using a purchased certificate (obviously you need to pay for it, wildcard certificates are usually more expensive than standard certificates)
- using a self-signed certificate (no purchase necessary, but your visitors will get a warning that the certificate is signed by an unknown CA)
Please decide which option you prefer and then refer to the appropriate section below for instructions.
Note: If you decide to upload SSL certificates to your ISL Conference Proxy via the manual approach, the certificate that you'll upload to the server has to match the server type/definition - to cover all addresses that would be used by ISL Conference Proxy. In most cases it is a single-address setup, so a single-address certificate is ok. A wildcard certificate is needed only on wildcard GRID setups.
Using a purchased certificate
Part 1 - general information
Please follow certificate provider's Apache(-SSL) HTTPD instructions, they are the most similar to ISL Conference Proxy.
Examples:
https://www.thawte.com/ssl-digital-certificates/technical-support/keygen/
https://www.digicert.com/csr-creation.htm
OpenSSL for Windows can be found here:
http://www.slproweb.com/products/Win32OpenSSL.html
Part 2 - preparing certificate files
Having followed the instructions in the first part, you will have received a signed certificate from your provider.
ISL Conference Proxy requires SSL certificate files to be in the PEM format, so you might need to convert your files appropriately before proceeding. Please refer to your certificate provider's instructions.
Please save the SSL certificate in PEM format as web-cert.pem. You can check if it is ok through the following OpenSSL command - it should print your certificate info such as issuer, validity etc.:
openssl x509 -inform pem -in web-cert.pem -noout -text
Please save your private key in PEM format as web-key.pem. You can check if it is ok through the following OpenSSL command - it should print RSA key ok:
openssl rsa -inform pem -in web-key.pem -noout -check
Important: This command will ask you to enter the appropriate passphrase if you set one when exporting your private key. It is considered best practice to always protect your private keys with a passphrase.
Important: ISL Conference Proxy supports the traditional PEM format (Non PKCS 8). If you are generating a private key with OpenSSL 3.x.y, which generates the PKCS 8 by default, use the -traditional flag.
openssl genrsa -traditional -out web-key.pem -aes128 2048
In order to avoid potential issues, especially when renewing a certificate and replacing the existing one, it is recommended to check the modulus of your private key and your SSL certificate, just to make sure they match. The output of the following two commands should be the same (Modulus=...):
openssl x509 -inform pem -in web-cert.pem -noout -modulus openssl rsa -inform pem -in web-key.pem -noout -modulus
Important: This command will ask you to enter the appropriate passphrase if you set one when exporting your private key. It is considered best practice to always protect your private keys with a passphrase.
If your certificate provider requires you to use one or more intermediate certificates, it will be mentioned in your certificate provider's instructions. In that case please save the appropriate intermediate certificate file in PEM format as web-intermediate.pem. If such a file is not required by your certificate provider, you can skip this step.
Part 3 - uploading certificate files to ISL Conference Proxy
The easiest way to put all the required files to ISL Conference Proxy is to upload them to the private file storage by following these steps:
- Login to your ISL Conference Proxy administration (http://localhost:7615/conf).
- Go to Configuration -> Advanced ->File storage -> Private.
- Click Choose..., select the private key file web-key.pem and click Upload.
- Click Choose..., select the SSL certificate file web-cert.pem and click Upload.
- If you need to use an intermediate certificate, click Choose..., select the intermediate certificate file web-intermediate.pem and click Upload.
- Your uploaded files will be shown in the list below - upload complete.
Now you are ready to enable SSL for web pages served by ISL Conference Proxy.
Part 4 - enabling SSL for web pages
- Login to your ISL Conference Proxy administration (http://localhost:7615/conf).
- Go to Configuration -> General.
- Uncheck the checkbox in front of HTTPT SSL certificate and change the setting to point to the appropriate uploaded file: objects/web-cert.pem
- Uncheck the checkbox in front of HTTPT SSL key and change the setting to point to the appropriate uploaded file: objects/web-key.pem
- If you need to use an intermediate certificate, uncheck the checkbox in front of HTTPT SSL certificate chain and change the setting to point to the appropriate uploaded file: objects/web-intermediate.pem
- Click Save to apply the settings you changed so far.
- If you protected your private key with a passphrase, click the change link next to the HTTPT SSL key passphrase and enter the appropriate passphrase.
- Uncheck the checkbox in front of HTTPT use SSL and change the setting to Yes.
- Click Save to apply these settings.
- Go to Configuration -> Security.
- Verify setting Redirect HTTP to HTTPS for all user web pages is set to Yes.
Now you can open https://serveraddress/ (replace serveraddress with the appropriate DNS name of your server) and test, the page should load successfully and your web browser should indicate that the connection is secure..
Default protocol and cipher suite settings should be a good starting point and in case you have no specific requirements you should leave them at their default values. If needed, you can adjust them - please refer to ISL Conference Proxy configuration best practices (point 7).
Using a self-signed certificate
The easiest way to generate a self-signed certificate is to use OpenSSL executable that is already present in the ISL Conference Proxy install directory. This example is for linux, adjust accordingly for windows.
Important: You need to perform these commands as root.
cd /opt/confproxy openssl genrsa 2048 > main.key openssl req -new -x509 -subj "/CN=*.isl.example.com" -key main.key -days 9999 > main.cert chmod 600 main.key chmod 600 main.cert chown islcp:islcp main.key chown islcp:islcp main.cert
Important: chown is needed in ICP 4.1 and newer as ICP will drop root privileges since ICP 4.1.0 release. Before (ICP 4.0, ICP 3.x) you should not chown as islcp user does not exists.
After that, go to ISL Conference Proxy administration (http://localhost:7615/conf) and select Configuration - General. Change HTTPT use SSL option to Yes and click Save.
Redirecting HTTP to HTTPS for all user web pages is turned on by default.
Default protocol and cipher suite settings should be a good starting point and in case you have no specific requirements you should leave them at their default values. If needed, you can adjust them - please refer to ISL Conference Proxy configuration best practices (point 7).
Now you can open https://serveraddress/ (replace serveraddress with the appropriate DNS name of your server) and test.
Important: A self-signed certificate is not suitable for production use since website visitors will be presented with a warning about an untrusted certificate.
Note: If you are using a self-signed certificate in a GRID setup (multiple ISL Conference Proxy servers connected as a GRID), then you have to upload the self-signed certificate and private key to the ISL Conference Proxy file storage and enable them as it's shown in part 3 and part 4 of the above guide for purchased certificates.