In this security-sensitive world of computers, we are occasionally asked how we deal with certificates that we distribute with our software. This article gives an overview of these and is aimed at IT professionals with prior understanding of cryptographic configuration between systems. Attempting to describe how all of this works is well beyond the scope of this article.
There are basically three things to be aware of that ship with LumenVox products which relate to cryptographic files that can be configured or changed, as described below:
server.pem
The server.pem file is a self-signed certificate generated by LumenVox and used as a placeholder when users access the Dashboard when (the default) HTTPS connection protocol is used. This is used to validate the site as authentic, and not something posing as the intended site.
Since we ship with this placeholder self-signed certificate, it is not intended to function in this authoritative role when installed, so getting a warning about an invalid certificate is correct and normal.
This certificate expires 365 days from the date of the product build. If it expires, the functionality remains, but an expired certificate warning would be issued (in addition to the self-signed certificate warning) when opening the browser page, but functionality would not be inhibited, assuming the user accepts and ignores the warning.
Please refer to our Resolving Dashboard Certificate Issues article for more details on how this file is used.
lv_cacert.pem
This is a Root Certificate Authority (CA) file, which is very similar to those used by web browsers internally when authenticating sites they visit. It is basically a list of Certificate Authority organizations that are trusted to issue valid certificates, along with a bundle of certificates allowing authentication of certificates they have issued.
This file is used when communicating with the LumenVox Flexible Licensing Nodes in the cloud using HTTPS connectivity. It uses CA bundle to validate the site certificates in the LumenVox servers. This is done in a very similar way in which browsers use SSL certificates. These CA bundles are periodically updated in the same way that browsers update theirs.
Users may change this series of Certificate Authority Root Certificates as needed, if some become outdated, or if some custom configuration is needed. The only requirement is that the CA needs to work correctly with the LumenVox signed certificates on the Licensing Nodes, which are updated every couple of years, consistent with other signed certificates used by web sites.
The version of this file that is shipped with LumenVox is freely available from Mozilla and can be obtained in a number of online locations, such as https://curl.haxx.se/docs/caextract.html. Please refer to this page for more information.
cacert.pem
This file, as shipped, is identical to the lv_cacert.pem file described above, and serves a similar function. It is used whenever LumenVox software performs HTTPS operations as part of its other functionality, such as fetching grammar files, SSML documents, etc. This too can be modified or updated by users as needed.
See the CERTIFICATE_AUTHORITY_FILE configuration setting for more details of how to specify a different file or location to use.
Summary
This article is intended to provide an open description of how LumenVox software implements the above functionality. We would caution users again that modification or replacement of these files should only be done by experienced personnel, who are aware of the implications of making such changes.
Although the Root Certificates within these CA bundles do each contain expiration dates, as do those within browsers, these expiration dates are typically far out into the future to avoid problems. Also, since several Root Certificates are contained within the bundle, it is unlikely that all of them would expire before the bundle itself was updated.
If, somehow, these Root Certificates within the CA bundles did all expire, updating these bundle files (lv_cacert.pem and cacert.pem) to new ones should be a relatively simple task, using the Mozilla/Curl link referenced above.
In short, there are no certificates shipped within LumenVox products that should cause a disruption to service under normal circumstances.
