Securing a Portal Experience with SSL

Product(s)
Gallery
Role(s)
Studio User
Task(s)
Create a Portal Experience
Preview & Publish Experiences
Topic(s)
Domains & SSL

In this topic you will learn how to secure a Gallery Portal experience using Secure Sockets Layer (SSL).

Secure Sockets Layer (SSL) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

Note: By default, all Brightcove provided domains support SSL. If your video site is using the default assigned URL or a Brightcove provided domain (brightcovegallery.com or gallery.video), the site can also be accessed by prefixing the URL with https. There is also an option to Enforce SSL on this domain (recommended) to enable a redirect from the non-SSL version of the site if a viewer goes to it. No setup or SSL certificates are required. This topic covers using your own SSL certificates with a custom domain.

Notes on using SSL with Gallery

  • Publishers are responsible for the SSL certificate
  • Self-signed certificates are not supported
  • The private key cannot be encrypted with a password
  • The maximum SSL certificate key length supported by Gallery is 2048 bits
  • Brightcove requires the certificate to be in PEM format
  • Brightcove recommends that SSL certificates used in Gallery sites not be used anywhere else
  • Publishers must use a custom domain name

Note: When working with SSL certificates, do not under any circumstances share your private key or send it to Brightcove Support.

Configuring a portal experience for SSL

These steps assume you have purchased an SSL certificate. Your video site must also be configured to use a custom domain. For information on configuring a site to use a custom domain, see Configuring Custom Domains and SSL.

Upload the SSL certificate

  1. Open the Gallery module.
  2. Click the Settings link.
  3. In the left navigation, click the Custom Domains & SSL link.
  4. Edit the custom domain that SSL will be enabled for.
  5. Check Use SSL.
  6. Paste in your Public Key. Remove any blank lines at the beginning or end of the key.
  7. Paste in your Private Key. Remove any blank lines at the beginning or end of the key.
  8. Paste in your Certificate Chain. Remove any blank lines at the beginning or end of the key.
  9. Click Save. The site details will be displayed.
  10. Click Save. The certificate will be validated and if there are errors, they will be displayed.

The SSL status will display Updating Configuration while the SSL information is being updated and propagated. Click Refresh List to update the SSL status.

Configure the CNAME record

Once SSL has been configured, the SSL status will be Enabled. The CNAME information will be updated with a CloudFront URL. The Cloudfront URL will not change unless the domain is deleted.

Note that browsing directly to a Cloudfront URL will return a "page not found" error (404). A curl command can be used to verify the domain configuration. For this example:

curl -H "Host: video.brightcovelearning.com" https://d3mkhzp6k6x3hl.cloudfront.net

The curl statement should return the contents of the site home page.

The CNAME record for your custom domain should redirect to the Cloud Front URL displayed on the Custom Domains and SSL page.

Note: If you are using custom headers and footers, check to make sure that all URLs are secure as well.

Updating/Replacing SSL certificates

If an SSL certificate needs to be updated or replaced, for example, the SSL certificate may be set to expire, follow these steps to replace an existing SSL certificate.

  1. Open the Gallery module.
  2. Click the Settings link.
  3. In the left navigation, click the Custom Domains & SSL link.
  4. Locate the custom domain using the SSL certificate and then click the edit icon ().
  5. Click Upload new certificate.
  6. Paste in the new Public Key, Private Key and Certificate Chain. Remove any blank lines at the beginning or end of the keys.
  7. Click Save.

If there are any errors with the updated keys, the old values will be retained.

Sample keys

Below are examples of some sample keys.

Sample public key

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBFA
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq
vA==
-----END CERTIFICATE-----

Sample private key

-----BEGIN RSA PRIVATE KEY-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq vA=
-----END RSA PRIVATE KEY-----

Sample certificate chain

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq vA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS ....
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq vA== vA== 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTExMjMxMDg1OTQ0WhcNMTIxMjMwMDg1OTQ0WjBF
.... MANY LINES LIKE THIS .... .... MANY LINES LIKE THIS .... 
JjyzfN746vaInA1KxYEeI1Rx5KXY8zIdj6a7hhphpj2E04LDdw7r495dv3UgEgpRC3Fayua4DRHyZOLmlvQ6tIChY0ClXXuefbmVSDeUHwc8YufRAERp2GfQnL2JlPULB7xxt8BVc69rLeHV15A0qyx77CLSj3tCx2IUXVqRs5mlSbq094NBxsauYcm0A6Jq vA== vA==
-----END CERTIFICATE-----

FAQs

  1. Does the SSL Cert need to be a SAN cert? No. The SSL cert does not need to be a SAN cert. Gallery uses CloudFront to manage the SSL termination, so their requirements are the same as Gallery's. You can read more about them here.
  2. Can a Gallery site with a custom domain and SSL be only accessible via HTTPS? Yes, in fact this is the only way we allow the site to be accessed. If you try to access a site on the HTTP link, you will automatically be redirected to the HTTPS site. This is done by forcing HTTPS redirects in CloudFront.