How to apply a signed X509 Certificate to Vx Enterprise Systems

Issue

Applying an SSL Certificate to a Vx Enterprise System

Product Line

Pelco Video Management

Environment

VxCore v2.1.0+

Cause

SSL Security

Resolution

Pre-Requisites: 

An SSL Certificate + Private Key with either CN=Core VIP(If not using DNS) or CN=The Hostname Associated with the Core VIP(if using DNS)

Files need to be in PCKS12(.pfx or .p12 file extension) or PEM format(.pem file extension).

Supplemental Technical Note:

- PEM files may or may not come with the .pem extension. 

- To check if a Certification file is valid, open the file in text editor and the contents should begin with.  ---------BEGIN followed by base64 encoded characters.  If the file extension is .txt simply change it to .pem to convert.  

- To combine an SSL Certificate with its Private Key file you can use the following example: cat server.crt server.key > server.YOUR_CERTIFICATE.pem

 

Installing an SSL Certificate depends upon the System Configuration, the steps below will guide you through Single and Dual Core Configurations

 

Single Core Configuration Steps:

Step 1: Using a machine with OpenSSL installed, exectue the following command: openssl pkcs12 -export -inkey YOUR_CERTIFICATE.pem -in YOUR_CERTIFICATE.pem -out YOUR_CERTIFICATE.p12

Step 2: When prompted, enter an export password for encrypting the .p12 file

Step 3: Copy the .p12 file to the following path C:\Program Data\Pelco\Core\core\config

Step 4: Open the vxcore.yml file at the following path C:\Program Data\Pelco\Core\core\config in a text editor and Change the following lines below sslConnector: 

Please see the example below for reference:

Edit and change to the following: 

keyStorePath: config/YOUR_CERTIFICATE.p12

keyStorePassword: THE_p12_FILE_PASSWORD

*Note: If the password contains special characters on any kind, you will need to enclose it in double-qoutes.

 

Step 5: Restart the VideoXpert Core Service

*Note: Restarting the Core Service will cause a very short outage on the system.

 

Installing an SSL Certificate on a cluster will require Steps 3-5 to be repeated on the Secondary Core as well as the following additional steps:

Step 6: Putty into the Accessory Server, and enter the following command to gain root access: sudo root and enter the necessary credentials

Step 7: If the Certificate + Private Key are in PCKS12 format, convert them to PEM with the following command: openssl pkcs12 -in YOUR_CERTIFICATE -out YOUR_CERTIFICATE.pem -nodes

Step 8: Enter the following commands to copy the PEM file to the correct places: 

cp certAndPrivateKey.pem /etc/ssl/private/vxcore.pem

cp certAndPrivateKey/pem /usr/share/pelco/supportbox/haproxy/vxcore.pem

service haproxy restart

*Note: Restarting the haproxy service will cause a very short outage on the system. 

Step 9: If you have a Secondary Accessory Server, Steps 6-9 must be repeated on the Secondary.

Step 10: After adding the Certificate, you must go to each Ops Center in the System and nable SSL Certififcate Validation as seen below: