About SSL, HTTPS and WebCC on GNU/Linux
You can configure your WebCC server to accept connections through the https protocol, either exclusively or alongside the http protocol. Connections through https are encrypted and the identity of the server is verified using a certificate. This ensures the information exchanged between the client and the server cannot be deciphered if intercepted. Also, provided that you configure WebCC with a certificate signed by a reputable certificate authority, this ensures that hackers cannot perform man-in-the-middle attacks by making their own server pose as your WebCC server to intercept its traffic.
For WebCC to accept connections with the https protocol, you must configure WebCC with the following:
- The port used for https connections.
- The private certificate key.
- The certificate.
- Optionally, the root CA and/or intermediate certificate.
There are two types of certificates supported by WebCC:
- Privacy Enhanced Mail (PEM) certificates: These certificates are ASCII files encoded in Base64. Typically, the certificate is in a file with a .crt, .cer or .pem extension and the private key is in a file with a .key extension.
- Personal Information Exchange (PFX /PKCS #12) certificates: These certificates are binary files that include both the certificate and its private key. Typically, such certificates are used for Windows servers and have a .pfx or .p12 extension.
If your certificate is in any other format, such as DER, PKCS #7 or CA_bundle, you will need to perform extra steps to convert the certificate to a supported format.
About Certificate Signature
It is recommended to use a certificate that has been signed by a reputable certificate authority.
If your certificate is signed by a certificate authority, WebCC will typically be accessible without issue in a web browser. However, if you want clients to be able to upload and download scene changes directly between Harmony and the WebCC server, you may have to specify the root and/or intermediate certificate for your certificate. This is because web browsers are typically designed to trace a certificate's chain of trust all the way to the root certificate authority, whereas Harmony is not.
If your certificate is self-signed, web browsers will warn the user that the website is not secure, and users will need to go around that warning to access WebCC. Likewise, Harmony will not be able to upload or download scene changes directly from its interface at all, unless the client makes Harmony trust self-signed certificates by enabling the hidden preference WEBCC_SSL_SELF_SIGNED—see Disabling SSL Certificate Validation for WebCC in Harmony.