The validity check by Opencast's HTTPS client is basically performed the same way as any other HTTPS client would, for instance:
- validate the host name
- look up if the certificate is signed by a trusted Certificate Authority (CA)
In case of self-signed certificates, a check whether the certificate is signed by a trusted CA, would fail.
You are advised to obtain a valid certificate, issued by a trusted CA like Let's Encrypt.
However, valid certificates are not always an option for testing or developer instances of Opencast, especially with Enterprise Firewalls or CAA records in place.
Generating Self-Signed Certificates
A self-signed certificate for multiple host names can be created with openSSL as follows:
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = CH ST = Wallis L = Matterhorn O = Apereo OU = Opencast CN = opencast [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = opencast DNS.2 = presentation.local DNS.3 = admin.local DNS.4 = admin DNS.5 = presentation DNS.6 = worker DNS.7 = worker.local
openssl req \ -x509 \ -nodes \ -days 365 \ -newkey rsa:2048 \ -keyout key.pem \ -out testing.pem \ -config testing-cert.req.conf \ -extensions 'v3_req'
In order to view the just generated cert:
openssl x509 -in testing.pem -text -noout
Trusting Self-Signed Certificates
In order to use self-signed certificates for testing or developer instances of Opencast, import your self-signed certificate(s) into the Java Trust Store (bundle of trusted CA certs) and restart Opencast.
Store your certificate in a format compatible with
cat >/tmp/testing.crt <<EOL -----BEGIN CERTIFICATE----- MIIGJzCCBA+gAw... ...O6g== -----END CERTIFICATE----- EOL
Import the certificate with alias
javax.net.ssl.trustStrorewhose password defaults to
changeitwithout asking questions:
keytool \ -import \ -noprompt \ -trustcacerts \ -storepass changeit \ -alias testing_root \ -file /tmp/testing.crt \ -keystore $JAVA_HOME/jre/lib/security/cacerts
Delete the temporary file: