This guide outlines the process for adding custom secure sockets layer (SSL) certificates to your BrightSign devices, a common requirement for securing communications, especially when integrating with self-signed or internal Certificate Authority (CA) issued certificates. We'll cover modifying the autorun.zip file to include your certificate and the necessary BrightScript plugin, as well as how to convert various certificate formats to the required PEM format using OpenSSL.
Given a current autorun.zip, make the following changes:
- Modify the /plugins.brs file to reflect:
| Library "appspace/main.brs" |
|---|
BrightSign is particular about the line breaks. Please be sure to add a line-break character on the end of line #2.
- Next, create the folder "AddCert" within the plugins subdirectory.
- Add the attached file main.brs (standard).
- Add a cert.pem file.
- Reboot the unit.
Note: It may be necessary to have the entire chain of SSL certificates towards the machine you are trying to secure against. So the CA, intermediate, and endpoint certs may be required to be bundled together in a single cert.pem file.
Note:
- CA or self-signed certs must be in the PEM format.
- BrightSign will not consume PRX, P7B, or CRT files.
- You can convert CRT or PRX files using OpenSSL.
See Instructions Below for that procedure.
Converting an SSL cert to a PEM file:
- Obtain a copy of the Windows binaries for OpenSSL http://gnuwin32.sourceforge.net/packages/openssl.htm
- Extract the contents to C:\OpenSSL\
- Run cmd.exe and navigate to the C:\OpenSSL\Bin folder and run openssl.exe
- Depending on the source format of the cert, use the appropriate command to convert your source file.
CRT to PEM
openssl x509 -in certificate.crt -out certificate.pem
DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B to PEM
openssl x509 -print_certs -in certificate.p7b -out certificate.pem
PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes