HomeWindows InstallationSSL SecuritySetup SSL Security

4.1. Setup SSL Security

The PureCM Server can enable connections from clients over an SSL/TLS link.  This provides transport layer security which is necessary in order to stop other people from intercepting network traffic between client machines and the server in order to find passwords etc. .

PureCM does not supply or create the Certificate that is used as the basis of the SSL link.  It is the responsibility of the System Administrator to ensure that a suitable certificate is installed.  A certificate can be obtained by one of :-

  • A commercial Certificate Authority such as VeriSign or Thawte
  • A free CA such as CACert
  • Your Company's CA (e.g. the Microsoft CA on Windows 2003)
Typically we find that the easiest way to obtain the Certificate is to use the IIS Administration tools to obtain an SSL Certificate for the IIS Webserver on the machine (see this link for details). It can sometimes be useful when you import the Certificate to your machine that you mark the Private Key as 'Exportable' (which then allows you to backup the Certificate to a .pfx file).

Once you have the Certificate on your machine you need to make it available to the PureCM Service. We recommend using the Microsoft WinHttpCertCfg.exe Utility. A typical command line would be :-
C:\Program Files\Windows Resource Kits\Tools\WinHttpCertCfg.exe -g -c LOCAL_MACHINE\MY -s "IssuedToName" -a "AccountName"
Where "IssuedToName" would typically be the 'Common Name' of the Certificate (e.g. 'myserver.mycompany.com') and 'AccountName' should match the account that the PureCM Service runs under (by default 'Local Service' which would typically be specified as 'SERVICE' or 'ServerName\SERVICE' (where ServerName is the name of the Server). Once complete this should allow PureCM Service the right to access the Private Key part of the Certificate (which it needs in order to process SSL messages).

The PureCM Service on Windows will attempt to load the certificate from the store on startup.  If anything is goes wrong with this process you should see messages logged to the Application Event Log (events I0007,W0128,W0109 are the most significant here). By default, PureCM attempts to load a Certificate with a Common Name matching the FQDN (Fully Qualified Domain Name) of the Server (e.g. 'myserver.mycompany.com'). If your Certificate doesn't match the Hostname for whatever reason, you can override this behaviour by setting a Registry value
 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PureCM Service\Parameters\CertCommonName
which should be of type REG_SZ and should be set to the Common Name of your Certificate.
If you have problems using a certificate and/or SSL with PureCM, please contact Support by submitting a ticket. 

This page was: Helpful | Not Helpful