To avoid certificate errors being shown to your users, you must ensure your Active Directory domain trusts the Video Furnace server's certificate.
There are two possible approaches to achieve this:
- Allow the server to generate self-signed certificates that are trusted
- Generate a certificate signing request (CSR) from the Furnace server for the domain to generate a trusted certificate
For most deployments, option 1 will be sufficient. There is a theoretical risk when allowing the server to generate trusted self-signed certificates. That is, if the server was compromised by a malicious party, it could be used to generate certificates that are trusted by the domain. However, this would require both access to your local network and root SSH access to the server.
To accomplish this:
- The simplest method to do this is to export the certificate from the server from a web browser and add it to the list of Trusted Root CAs on the Default Domain Policy. This will allow the server to generate its own self-signed certificates which are trusted by the domain.
- To do this using Internet Explorer 9, click on the crossed out padlock icon and click 'Certificate information'. Go to the 'Details' tab and select 'Copy to file'. Choose the Base-64 encoded X.509 (.CER) and follow the steps to export the certificate.
- To import the certificate, open the Group Policy Management tool, edit the Default Domain Policy, or a preferred policy entry. Go to Computer Configuration, Policies, Windows Settings, Security Settings, Public Key Policies, Trust Coot Certification Authorities, go to the Action menu and select Import. Select your exported certificate file and follow the steps.
- When completed, run gpupdate /force from a command line and close all browser windows, or reboot the PC to test the certificate has been applied.
For further information or if you need assistance generating a signing request, please contact Techex support.