Install & Upgrades
      Back to home
      1. Help Center
      2. Install & Upgrades

      Installing SSL Certificate

      This outlines the method for installing a custom SSL Certificate to be used by your Diffusion server to encrypt traffic. In most production scenarios SSL offloading is performed by the load balancer. However in some cases this is not practical. Diffusion is provided with a self-signed certificate, and an SSL enabled connector using port 8443. This should be used for testing and development only. In production Certificate Authority (CA) signed certificates should be used. CA signed certificates ensure that the third party that you are communicating with has not been spoofed. Self-signed certificates have no way to prove that they are valid and not forged. Warning: For security reasons, the self-signed certificate included with Diffusion should not be used in a production environment.

      Creating a KeyStore

      If you already have a KeyStore skip this step. KeyStores store pairs of private and public keys. Each pair or entry stored in the keystore is refered by a unique alias. Creating a KeyStore can be completed using the following command.

      1. -alias – name to identify this private / public key pair.
      2. -keystore – name for the keystore file.
      keytool -genkeypair -alias example -keyalg RSA -keystore keystore -keysize 1024

      You will be prompted to enter a password You will then be asked to enter information that will be used in the certificate.

      $ keytool -genkeypair -alias example  -keyalg RSA -keystore keystore -keysize 1024
      Enter keystore password:  
      Re-enter new password: 
      What is your first and last name?
        [Unknown]:  Diffusion Example 
      What is the name of your organizational unit?
        [Unknown]:  Push Technology Support 
      What is the name of your organization?
        [Unknown]:  Push Technology 
      What is the name of your City or Locality?
        [Unknown]:  City of London 
      What is the name of your State or Province?
        [Unknown]:  London 
      What is the two-letter country code for this unit?
        [Unknown]:  UK
      Is CN=Diffusion Example, OU=Push Technology Support, O=Push Technology, L=City of London, ST=London, C=UK correct?
        [no]:  yes

      You have now created a KeyStore. This contains a generated Private and Public Key.

      Creating a Certificate Signing Request

      When you have received the signed certificate from your certificate authority this must be installed into your KeyStore. This can be achieved with the following command.

      keytool -import -trustcacerts -alias example -keystore keystore -file certificate_file.crt

      Your KeyStore can now be added to your Diffusion /etc configuration folder, this should replace the existing KeyStore provided by Diffusion. If you have not called your KeyStore ‘keystore’ it is required that you point Diffusion to the correct location / name. The configuration for this is within etc/Connectors.xml. It is also advised that you add the password for the KeyStore that you generated earlier as obfuscated text.

      <key-store>
          <file>../etc/keystore</file>
          <password>OB:0dm9lGVslzTpQ72S</password>
      </key-store>

      You will now be able to view your installed certificate by accessing the Diffusion Console securely. The following screenshot is from Google Chrome. 

      article22_image1