Server Certificates
The Verba system uses a public key cryptography based encryption for the communication between the Verba services. The system uses the Windows Certificate Store (WCS) for the key management and relies on industry standards such as RSA, AES, SHA.
Choosing the Certificate Authority
Besides using the domain's own CA or a 3rd-party CA, Verba provides the option for configuring the first Media Repositroy (or Single) server as a CA. It simplifies the installation process and the certificate management. For the installation guides see: Install the Verba software
If the Verba CA is being used, then the server certificates going to be requested by the Verba installer from the first Media Repositroy (or Single) server through HTTPS connection. The certificates generated by the Verba CA is a KSP certificate, and uses SHA512 for the signature algorithm, and RSA2048 for the public key.
If the domain's own CA or a 3rd-party CA has to be used, then the server certificates and the CA certificate have to be placed into the server's certificate store in advance.
Server Certificate Requirements
- Certificates must have RSA keys (2048 recommended)
- All server certificates must be signed by the same CA
- Certificates must be valid, not expired or revoked
- Certificates must have a private and a public key
- Strong private key protection must be disabled
- The private key must be exportable
The Verba service account (LocalSystem, service user account) must have access to the CA and server certificates
- Both CSP (Crypto Service Provider) and the new generation KSP (Key Storage Provider) type certificates are supported
Server Configuration
Every Verba server and component has its own Server Certificate configuration. The configuration can be reached by going to the System \ Servers menu, selecting the server, then going to the Change Configuration Settings tab.
Setting Name | Description |
---|---|
Enable Advanced API Security | Sets whether the advanced API security is being used, or the legacy mode. Ff disabled then API ports going to use unauthenticated TCP and maintain compatibility with earlier Verba versions. |
Certificate Trust List | Sets the method of the verification of the server certificate of the remote peers. Accepts the following values:
Alternatively, instead of using the WCS, a path to a .crt file can be also provided. In this case, all certificates going to be trusted, whose CA certificate is the same as the provided file.* |
Server Certificate | The thumbprint of the server certificate. Alternatively, instead of using the WCS, a path to a .crt file can be also provided.* |
Verba Certificate Authority | The thumbprint of the CA certificate. Required only if the server is a CA. |
Key File | If a path is provided to the Server Certificate setting, then here a path has to be provided to the corresponding .key file.* If the WCS is being used, then this setting is empty. |
Key File Password | If a path is provided to the Key File setting, then the password of the key file has to be provided here.* |
Verify Trust of HTTP API Connection | Set if the CA of remote peer's server certificate has to be verified in case of HTTP API connections. |
Verify Hostname of HTTP API Connection | Set if the Subject (and SANs) of remote peer's server certificate has to be verified in case of HTTP API connections. |
*Not recommended scenario.
Downloading Server Certificate from the Verba CA
If Verba CA is being used, then the server certificates can be generated and downloaded using the Verba Web interface.
Step 1 - Log into the Verba Web Interface, and go to the System \ Request Server Certificate menu.
Step 2 - Provide the properties of the certificate. The subject should be the FQDN of the server which going to use the certificate.
Step 3 - Click Generate. The new certificate will be downloaded.
Changing the Server Certificate if Verba CA is being used
The following steps describe the procedure of changing the server certificates. This usually required, when a certificate becomes expired, or corrupted. The certificate can be downloaded from the Verba Web Interface.
Step 1 - Log into the server and go to the Start menu. Type "mmc.exe", then press enter.
Step 2 - Go to the File / Add/Remove Snap-in... menu.
Step 3 - From the list on the left side select Certificates and click on the Add button.
Step 4 - Select Computer Account then click Next. On the next page, select Local Computer then click Finish. In the MMC windows press OK.
Step 5 - Import the new .pfx file downloaded from the Verba Web Interface to the Personal folder.
Step 6 - Log in to the Verba Web Interface, and go to the System \ Servers menu.
Changing certificate when the server certificate is expired already
If the server certificate is expired already, then the configuration the Verba server cannot be reached through the web interface. In this case, the settings have to be updated in the registry. Update the following registry value in order to change the server certificate:
HKEY_LOCAL_MACHINE\SOFTWARE\Verba\ApiCert
For changing the CA certificate, update the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Verba\ApiCaCert
Finally, restart the Verba services.
Step 7 - Select the server from the list, then go to the Change Configuration Settings menu.
Step 8 - Expand the Server Certificate node, and update the Server Certificate setting.
Step 9 - Click on the icon.
Step 10 - A notification banner will appear on the top. Click on the click here link, so you will be redirected to the Configuration Tasks tab. Click on the Execute button in order to execute the changes.
Changing the Server Certificate if the Domain or 3rd-party CA is being used
The following steps describe the procedure of changing the server certificates. This usually required, when a certificate becomes expired, corrupted, or the CA is changed.
Step 1 - Log into the server and go to the Start menu. Type "mmc.exe", then press enter.
Step 2 - Go to the File / Add/Remove Snap-in... menu.
Step 3 - From the list on the left side select Certificates and click on the Add button.
Step 4 - Select Computer Account then click Next. On the next page, select Local Computer then click Finish. In the MMC windows press OK.
Step 5 - Place the new server certificate to the Personal \ Certificates folder. This can be done either by importing the new .pfx file, requesting a new certificate directly from the domain's CA, or by creating a new certificate request then importing the signed .crt file.
Step 6 - If the CA also changes, then make sure that the new CA certificate can be found under the Trusted Root Certificate Authorities folder. If list of thumbprints or "own_ca" value is provided in the server's Certificate Trust List setting (in Verba), then the CA certificate can be also under the Personal folder.
Step 7 - Log in to the Verba Web Interface, and go to the System \ Servers menu.
Changing certificate when the server certificate is expired already
If the server certificate is expired already, then the configuration the Verba server cannot be reached through the web interface. In this case, the settings have to be updated in the registry. Update the following registry value in order to change the server certificate:
HKEY_LOCAL_MACHINE\SOFTWARE\Verba\ApiCert
For changing the CA certificate, update the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\Verba\ApiCaCert
Finally, restart the Verba services.
Step 8 - Select the server from the list, then go to the Change Configuration Settings menu.
Step 9 - Expand the Server Certificate node, and update the Server Certificate setting.
Step 10 - If the CA also changes, then the Certificate Trust List setting has be updated on all servers if not "*" value is being used. Then new value should contain the thumbprint of the old and the new CA certificate also. After the change, the old thumbprint can be removed, or the setting can be changed to "own_ca".
Step 11 - Click on the icon.
Step 12 - A notification banner will appear on the top. Click on the click here link, so you will be redirected to the Configuration Tasks tab. Click on the Execute button in order to execute the changes.