Server Certificates

The Verba system uses a public key cryptography based encryption for the communication between the Verba services. The system uses the Windows Certificate Store (WCS) for the key management and relies on industry standards such as RSA, AES, SHA.

Choosing the Certificate Authority

Besides using the domain's own CA or a 3rd-party CA, Verba provides the option for configuring the first Media Repositroy (or Single) server as a CA. It simplifies the installation process and the certificate management. For the installation guides see: Install the Verba software

If the Verba CA is being used, then the server certificates going to be requested by the Verba installer from the first Media Repositroy (or Single) server through HTTPS connection. The certificates generated by the Verba CA is a KSP certificate, and uses SHA512 for the signature algorithm, and RSA2048 for the public key.

If the domain's own CA or a 3rd-party CA has to be used, then the server certificates and the CA certificate have to be placed into the server's certificate store in advance.

Server Certificate Requirements

  • Certificates must have RSA keys (2048 recommended)
  • All server certificates must be signed by the same CA
  • Certificates must be valid, not expired or revoked
  • Certificates must have a private and a public key
  • Strong private key protection must be disabled
  • The private key must be exportable
  • The Verba service account (LocalSystem, service user account) must have access to the CA and server certificates

  • Both CSP (Crypto Service Provider) and the new generation KSP (Key Storage Provider) type certificates are supported

Server Configuration

Every Verba server and component has its own Server Certificate configuration. The configuration can be reached by going to the System \ Servers menu, selecting the server, then going to the Change Configuration Settings tab.

Setting NameDescription
Enable Advanced API SecuritySets whether the advanced API security is being used, or the legacy mode. Ff disabled then API ports going to use unauthenticated TCP and maintain compatibility with earlier Verba versions.
Certificate Trust List

Sets the method of the verification of the server certificate of the remote peers. Accepts the following values:

  • empty - No verification, all certificates going to be trusted.
  • "*" - All certificates going to be trusted whose CA certificate can be found in the Trusted Root Certificate Authorities folder of the WCS.
  • "own_ca" - All certificates going to be trusted, whose CA certificate is the same as the server's own server certificate's CA. (default setting)
  • list of thumbprints - All certificates going to be trusted, whose thumbprint or whose CA certificate's thumbprint is provided.

Alternatively, instead of using the WCS, a path to a .crt file can be also provided. In this case, all certificates going to be trusted, whose CA certificate is the same as the provided file.*

Server Certificate

The thumbprint of the server certificate.

Alternatively, instead of using the WCS, a path to a .crt file can be also provided.*

Verba Certificate AuthorityThe thumbprint of the CA certificate. Required only if the server is a CA.
Key FileIf a path is provided to the Server Certificate setting, then here a path has to be provided to the corresponding .key file.* If the WCS is being used, then this setting is empty.
Key File PasswordIf a path is provided to the Key File setting, then the password of the key file has to be provided here.*
Verify Trust of HTTP API ConnectionSet if the CA of remote peer's server certificate has to be verified in case of HTTP API connections.
Verify Hostname of HTTP API ConnectionSet if the Subject (and SANs) of remote peer's server certificate has to be verified in case of HTTP API connections.

*Not recommended scenario.

Downloading Server Certificate from the Verba CA

If Verba CA is being used, then the server certificates can be generated and downloaded using the Verba Web interface.

Step 1 - Log into the Verba Web Interface, and go to the System \ Request Server Certificate menu.

Step 2 - Provide the properties of the certificate. The subject should be the FQDN of the server which going to use the certificate.

Step 3 - Click Generate. The new certificate will be downloaded.

Changing the Server Certificate if Verba CA is being used

The following steps describe the procedure of changing the server certificates. This usually required, when a certificate becomes expired, or corrupted. The certificate can be downloaded from the Verba Web Interface.

Step 1 - Log into the server and go to the Start menu. Type "mmc.exe", then press enter.

Step 2 - Go to the File / Add/Remove Snap-in... menu.

Step 3 - From the list on the left side select Certificates and click on the Add button.

Step 4 - Select Computer Account then click Next. On the next page, select Local Computer then click Finish. In the MMC windows press OK.

Step 5 - Import the new .pfx file downloaded from the Verba Web Interface to the Personal folder.

Step 6 - Log in to the Verba Web Interface, and go to the System \ Servers menu.

Changing certificate when the server certificate is expired already

If the server certificate is expired already, then the configuration the Verba server cannot be reached through the web interface. In this case, the settings have to be updated in the registry. Update the following registry value in order to change the server certificate:

HKEY_LOCAL_MACHINE\SOFTWARE\Verba\ApiCert

For changing the CA certificate, update the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Verba\ApiCaCert

Finally, restart the Verba services.

Step 7 - Select the server from the list, then go to the Change Configuration Settings menu.

Step 8 - Expand the Server Certificate node, and update the Server Certificate setting.

Step 9 - Click on the  icon.

Step 10 - A notification banner will appear on the top. Click on the click here link, so you will be redirected to the Configuration Tasks tab. Click on the Execute button in order to execute the changes.

Step 11 - Changing the Server Certificate configuration also requires the manual restart of the Verba Node Manager Agent service. Log into the servers where required, and restart the service.

Changing the Server Certificate if the Domain or 3rd-party CA is being used

The following steps describe the procedure of changing the server certificates. This usually required, when a certificate becomes expired, corrupted, or the CA is changed.

Step 1 - Log into the server and go to the Start menu. Type "mmc.exe", then press enter.

Step 2 - Go to the File / Add/Remove Snap-in... menu.

Step 3 - From the list on the left side select Certificates and click on the Add button.

Step 4 - Select Computer Account then click Next. On the next page, select Local Computer then click Finish. In the MMC windows press OK.

Step 5 - Place the new server certificate to the Personal \ Certificates folder. This can be done either by importing the new .pfx file, requesting a new certificate directly from the domain's CA, or by creating a new certificate request then importing the signed .crt file.

Step 6 - If the CA also changes, then make sure that the new CA certificate can be found under the Trusted Root Certificate Authorities folder. If list of thumbprints or "own_ca" value is provided in the server's Certificate Trust List setting (in Verba), then the CA certificate can be also under the Personal folder.

Step 7 - Log in to the Verba Web Interface, and go to the System \ Servers menu.

Changing certificate when the server certificate is expired already

If the server certificate is expired already, then the configuration the Verba server cannot be reached through the web interface. In this case, the settings have to be updated in the registry. Update the following registry value in order to change the server certificate:

HKEY_LOCAL_MACHINE\SOFTWARE\Verba\ApiCert

For changing the CA certificate, update the following registry value:

HKEY_LOCAL_MACHINE\SOFTWARE\Verba\ApiCaCert

Finally, restart the Verba services.

Step 8 - Select the server from the list, then go to the Change Configuration Settings menu.

Step 9 - Expand the Server Certificate node, and update the Server Certificate setting.

Step 10 - If the CA also changes, then the Certificate Trust List setting has be updated on all servers if not "*" value is being used. Then new value should contain the thumbprint of the old and the new CA certificate also. After the change, the old thumbprint can be removed, or the setting can be changed to "own_ca".

Step 11 - Click on the  icon.

Step 12 - A notification banner will appear on the top. Click on the click here link, so you will be redirected to the Configuration Tasks tab. Click on the Execute button in order to execute the changes.

Step 13 - Changing the Server Certificate configuration also requires the manual restart of the Verba Node Manager Agent service. Log into the servers where required, and restart the service.