Securing a Portal Experience with SSL

In this topic you will learn how to secure a Gallery Portal Experience using Secure Sockets Layer (SSL).

Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

Notes on using SSL with Gallery

  • Publishers are responsible for the SSL certificate
  • Self-signed certificates are not supported
  • The private key cannot be encrypted with a password
  • The private key should start and end with ‘-----BEGIN RSA PRIVATE KEY-----’ and ‘-----END RSA PRIVATE KEY-----’
  • The maximum SSL certificate key length supported by Gallery is 2048 bits
  • Brightcove requires the certificate to be in PEM format
  • Brightcove recommends that SSL certificates used in Gallery sites not be used anywhere else
  • Publishers must use a custom domain name

Configuring a Portal Experience for SSL

These steps assume you have purchased an SSL certificate. Your video site must also be configured to use a custom domain. For information on configuring a site to use a custom domain, see Configuring Custom Domains and SSL.

Upload the SSL certificate

  1. Open the Gallery module.
  2. Click the settings icon () on the home page.
  3. In the left navigation, click the Custom Domains & SSL link.
  4. Edit the custom domain that SSL will be enabled for.
  5. Check Use SSL.
  6. Paste in your Server Certificate. Remove any blank lines at the beginning or end of the key. Brightcove requires the certificate to be in PEM format.
  7. Paste in your Server Private Key. Remove any blank lines at the beginning or end of the key. Brightcove requires the certificate to be in PEM format.
  8. Paste in your Chain of CA Certificates. If your certificate was signed by a root CA, then only the root certificate CA needs to be pasted in.  This should not include your own certificate. The certificate order is immediate cert. > any other intermediary > root (the root certificate is optional).
    Remove any blank lines at the beginning or end of the key. Brightcove requires the certificate to be in PEM format.
  9. Click Save. The site details will be displayed.
  10. Click Save. The certificate will be validated and if there are errors, they will be displayed.

The SSL status will display Updating Configuration while the SSL information is being updated and propagated. Click Refresh List to update the SSL status.

Configure the CNAME record

Once SSL has been configured, the SSL status will be Enabled. The CNAME information will be updated with a CloudFront URL. The CloudFront URL will not change unless the domain is deleted.

Note that browsing directly to a CloudFront URL will return a "page not found" error (404). A curl command can be used to verify the domain configuration. For this example:

curl -H "Host: video.brightcovelearning.com" https://d3mkhzp6k6x3hl.cloudfront.net

The curl statement should return the contents of the site home page.

The CNAME record for your custom domain should redirect to the CloudFront URL displayed on the Custom Domains and SSL page.

Updating/Replacing SSL certificates

If an SSL certificate needs to be updated or replaced, for example, the SSL certificate may be set to expire, follow these steps to replace an existing SSL certificate.

  1. Open the Gallery module.
  2. Click the settings icon () on the home page.
  3. In the left navigation, click the Custom Domains & SSL link.
  4. Locate the custom domain using the SSL certificate and then click the edit icon ().
  5. Click Upload new certificate.
  6. Paste in the new Server Certificate, Server Private Key and Chain of CA Certificates. Remove any blank lines at the beginning or end of the keys.
  7. Click Save.

If there are any errors with the updated keys, the old values will be retained.

Sample keys

Below are examples of some sample certificates/keys.

Sample server certificate

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBFA
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq
vA==
-----END CERTIFICATE-----

Sample server private key

-----BEGIN RSA PRIVATE KEY-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq vA=
-----END RSA PRIVATE KEY-----

Sample chain of CA certificates

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq vA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq vA== vA== 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS .... 
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq vA== vA==
-----END CERTIFICATE-----

FAQs

Can a Gallery site with a custom domain and SSL be only accessible via HTTPS? Yes, in fact this is the only way we allow the site to be accessed. If you try to access a site on the HTTP link, you will automatically be redirected to the HTTPS site. This is done by forcing HTTPS redirects in CloudFront.