Posts in Category "SSL"

Preparing Connect Servers for SSL 2048 Certificates

Problem: When a Connect server is running with untrusted, expired or private SSL certificates, Connect Meeting rooms will not launch. Preparing for the transition from 1024 to 2048 SSL certificates is very important for your Connect on-premise SSL-enabled servers.

When you click on a Connect Meeting URL, the initial browser that opens spawns a second browser (the Connect meeting addin):


It is this hand-off between browsers that requires a fully trusted public certificate to complete; the Meeting will hang upon loading if the certificate is untrusted:


During this hand-off between browser sessions, there is not any opportunity to click your way through an untrusted connection. The Meeting will simply hang.

Preparing your on-premise, SSL-enabled Connect servers for the transition from 1024 certificates to 2048 certificates is very important. Failure to upgrade your certificates as required will result in Meeting rooms hanging. There is s great FAQ page on the subject here on the Symantec website: 1024-bit Migration FAQs  Adobe’s SSL configuration documents and tutorials show where and how the SSL certificates are installed for both hardware-based load-balancing devices/SSL-accelerators or in stunnel:

If you are running on stunnel and are running stunnel on the Connect server directly, the transition to 2048 certificates will produce a greater CPU signature: The comparison between software-based vs. hardware-based offloaded and accelerated solutions like LTM is worth considering. The new 2048 certificates will have 70% penalty on CPU load as compared to current utilization stats. Check to see how much CPU stunnel is currently using with 1024 certificates and plan according for 70% more CPU than the current utilized.

If you are not sure whether you are currently running 1024 or 2048 certificates, use this handy tool from Symantec to check: Check your certificate installation

If your account is hosted by Adobe, then you are all set. When I plug in the domain name of an Adobe Connect hosted account for one of our training partners, Rexi Media, I get the following output:
Certificate information
Common name: *
SAN: *
Valid from: 2013-Feb-27 00:00:00
Valid to: 2014-Feb-28 23:59:59
Organization: Adobe Systems Incorporated
Organizational unit: DMBU Systems Engineering
City/locality: San Francisco
State/province: California
Country: US
Serial number: 7b8f272555087f6102773df671c95c3c
Algorithm type: SHA1withRSA
Key size: 2048

Firefox Browsers Fail to Connect when stunnel is used to Secure Connect

Problem:  Firefox Browsers Fail to Connect when stunnel is used to secure Adobe Connect

Solution: Double check to be sure that this setting is in place in the stunnel.conf:

; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all
fips = no

  • The original file version will have this commented out.
  • Enforcing TLSv1 with Firefox will be problematic.

Adobe Connect server pools/clusters and hardware-based load-balancing devices with SSL acceleration

The most robust means of implementing secure socket layer (SSL) with Adobe Connect servers is through a hardware-based SSL accelerator and similarly, the most robust means of clustering Connect servers is with a hardware-based load-balancing device (HLD). Since all enterprise-class HLDs are also SSL accelerators (any that are not both are either legacy or low-end by definition), this example-based article offers a best-practice configuration of a Connect Server pool or cluster running Connect Meetings, Adobe Presenter on-demand content, Adobe Connect Training, Curriculum and Virtual Classrooms securely behind a high-end, application-aware HLD and SSL acceleration device such as F5 BIG-IP LTM. This article does not exhaust the possible configurations, but offers a general working example.

The full tech-note is published here:


Adobe Connect Edge Server Deployment Options: part 2

This article focuses on Enterprise Proxy Connect Edge deployments and troubleshooting:

Adobe Connect Edge Server Deployment Options: part 1

This article focuses on reverse proxy Connect Edge deployments:

Changing the Help Links to use HTTPS://

For Licensed (On-Prem) Adobe Connect systems, the Help Links will still use HTTP:// instead of HTTPS:// if you have configured SSL for the web application.

To change the protocol for the help pages from http:// to https:// you will need to make a modification to the following file on each server in the Adobe Connect cluster:

The section you need to modify is:

<xsl:variable name=”redirectUrl”>


<xsl:when test=”($configurableWebappHelp!=” and /results/params/param[@name=’help’]=$isWebappHelp)”>

<xsl:value-of select=”$configurableWebappHelp”/>


<xsl:when test=”($configurableLoginHelp!=” and /results/params/param[@name=’help’]=$isLoginHelp)”>

<xsl:value-of select=”$configurableLoginHelp”/>


<xsl:when test=”$HELP_HOST!=””>

<xsl:value-of select=”concat(‘http://‘, $HELP_HOST, ‘/’, $localeId, /results/params/param[@name=’help’])”/>



<xsl:value-of select=”concat(‘http://‘, $ADMIN_HOST, ‘/common/help/’, $locale, /results/params/param






Changing the http:// to https:// in both lines.
Save the file.
Then restart the Adobe Connect Service on each server in the cluster after making the change.

Securing Adobe Connect and CQ with Stunnel

We have created a PDF with step by step instructions to secure all the four components of Connect which are Web App, Meeting App, CQ Author and CQ Publish. Please go through the following Tech Note :


Generating the new SSL certificates for my Adobe Connect server.

ISSUE -: I want to purchase/deploy SSL certificates for my connect server.

SOLUTION -: This document is valid for software/hardware SSL configuration with Adobe connect server.

1. Download Openssl from here openssl

2. Follow the steps 2,3 and 4 from kbdoc

3. Open command prompt and execute the command

cd C:\openssl\bin

openssl req -new -nodes -keyout myserver.key -out server.csr -newkey rsa:2048

This creates a two files on C:\openssl\bin

The file myserver.key contains a private key; do not disclose this file to anyone.

The file server.csr is Certificate Signing Request (CSR).

You will now be asked to enter details to be entered into your CSR.
What you are about to enter is what is called a Distinguished Name or a DN.

For some fields there will be a default value, If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [US]: US
State or Province Name (full name) []: Texas
Locality Name (eg, city) []: Houston
Organization Name (eg, company) []: Your Company
Organizational Unit Name (eg, section) []: Your Department
Common Name (eg, YOUR name) []:
Email Address []:

Please enter the following ‘extra’ attributes to be sent with your certificate request

A challenge password []:
An optional company name []:

Use the name of the connect server domain name as Common Name (CN).

The fields optional company name and challenge password can be left blank

Your CSR would now have been created on C:\openssl\bin . Open the server.csr in a text editor and copy and paste the contents into the trusted Certificates Issuing Authority (CIA) ( like verisign , thawte) enrollment form where you are requesting the SSL certificates to be generated.

Once the SSL certificates has been published via CIA  you can use it as SSL certificate file along with the key file myserver.key generated on step 3

Adobe Connect Stunnel prompting for passphrase when server/services restarts

PROBLEM -: Whenever the connect server is restarted , I cannot open the login page/meeting room stuck on connecting bar.

I have migrated/installed the SSL configuration to stunnel , When i start stunnel service , it prompts for passphrase

SOLUTION –: It looks like the key file has the passphrase and it needs to be removed.

1. Make sure that the S-Tunnel executable has been installed as a windows service and is set to automatic.

You can install the stunnel as windows service as per the steps below

Open command prompt and change the current prompt to stunnel directory as – cd C:\Breeze\x.x.x.x\stunnel

stunnel.exe -install

2. If you have a passphrase on your SSL certificates , Remove it using openssl command

You can download openssl from here openssl

To install openssl , follow the steps 2,3 and 4 from kbdoc

3. Open Command Prompt and execute the command

cd C:\openssl\bin

openssl rsa -in certificate.key.current -out

4 . The above command looks for certificate.key ( exsisting SSL key file) , removes the passphrase and generates the new key file

5. Copy the file , rename it according to the existing key file name convention under stunnel folder.

6. Restart the stunnel service to verify that the key file does not prompts for passphrase.


Generating Self signed certificates for Adobe Connect

PROBLEM -: I want to generate self signed certificates for our internal testing purpose. I need to apply SSL certificates on my connect server


Please note that Adobe does not supports self signed certificates on production enviroment.

This is for internal testing purpose.

1. Download OpenSSL , You can download it from here openssl

2.Extract it on C:\

3. Windows 7/vista users might have to gain/allow the administrative rights prompt to extract/copy the files on C:\ , Alternate is to copy the file on any other location , unzip it and copy the extracted openssl folder on C:\

4. Make sure that the openssl.exe is located on C:\openssl\bin folder

5. Open command prompt and execute the command

cd C:\openssl\bin

openssl.exe req -x509 -nodes -days 365 -newkey rsa:2048 -keyout -out

Provide the following information while generating the certificate files

Country Name

State/Province Name

Locality Name

Organization Name

Organization Unit Name

Common Name 

EMail Address


I have attached a screenshot for reference , Make sure that you provide the exact domain name of your connect server on common name information as highlighted in screenshot as well as in above step


When the process is completed , This would generate two files on C:\openssl\bin named as -:      –> Certificate file.    –> Key file.


These two files (Certificate and key file)  are self signed SSL certificates and can be used to secure either the meeting connection or application server having the domain name  as per the screenshot or as per the common name provided by you.

You can follow the SSL KB Doc to configure the SSL certificate/key file on your Adobe connect server