Copying certificates and keys

Note: This procedure is for Dragon Voice users. Ignore it if not using Dragon Voice.

This topic shows where to store certificates and keys when setting up secure SSL communications for Dragon Voice.

For an overview of the whole procedure, see Securing connections with SSL/TLS.

  1. Copy the certificates and keys to these locations.
  2. Set permissions on the files.

Recommended locations

This table shows optional filepaths for storing certificates and keys. The locations and filenames are not required. We show them here for simplicity, and use them in subsequent examples. (These paths show Linux syntax, and you can adapt them for Windows.)

Recommended Path Description

$KR_DATA_DIR/config/keys/CA.crt

Certificate from the CA organization that signed the Krypton certificate.

Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded.

Configure this path as [./keys/CA.crt] in httpClient : caCertificates and https : caCertificates.

Certificates are valid for a single host. For distributed deployments you acquire different certificates for each host.

$KR_DATA_DIR/config/keys/caSigned.key

Key to the signed certificate configured for Krypton.

Configure this path as ./keys/caSigned.key in httpClient : keyFile and https : keyFile.

$KR_DATA_DIR/config/keys/caSigned.crt

The signed certificate for Krypton.

Configure this path as ./keys/caSigned.crt in httpClient : certFile and https : certFile.

$KR_DATA_DIR/config/keys/myhttpserver.crt

If you use an application server as a resource for Krypton artifacts (for example, to host application grammars, DLMs, semantic models, and so on), and if the server uses a certificate that is signed by a CA organization that is not the same organization that signed the Krypton certificate, you must add the certificate of the CA that signed the http server certificate to the array value of httpClient : caCertificates. (Similarly, if the http server uses a self-signed certificate, you must add that self-signed certificate to the httpClient : caCertificates array.) For more information see Securing application servers.

   
$NLE_HOME/config/caSignedNLE.jks

Path to the service's keystore file.

Used for storing the private key and the CA signed certificate for identifying the service.

To create the keystore, see Creating PKCS12 keystores and Converting NLE keystores to JKS.

Configure this path with https.keyStore (see Configuring NLE security).

   
$NLPS_HOME/config/caSigned.p12

Path to the service's keystore file.

Used for storing the private key and the CA signed certificate for identifying the service.

To create the keystore, see Creating NLP service keystores.

Configure this path with server.ssl.key-store and httpClient.keystore.

   

$NRM_DATA_DIR/config/keys/CA.crt

Certificate from the CA organization that signed the Resource Manager certificate.

Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded.

Configure this path as [./keys/CA.crt] in httpClient : caCertificates and https : caCertificates.

Certificates are valid for a single host. For distributed deployments you acquire different certificates for each host.

$NRM_DATA_DIR/config/keys/caSigned.key

Key to the signed certificate configured for Resource Manager.

Configure this path as ./keys/caSigned.key in httpClient : keyFile and https : keyFile.

$NRM_DATA_DIR/config/keys/caSigned.crt

The signed certificate for Resource Manager.

Configure this path as ./keys/caSigned.crt in httpClient : certFile and https : certFile.

   

$TEXTPROC_HOME/keys/CA.crt

Certificate from the CA organization that signed the NTpE certificate.

Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded.

Configure this path as [./keys/CA.crt] in https : caCertificates and httpsClient : caCertificates.

Certificates are valid for a single host. For distributed deployments you acquire different certificates for each host.

$TEXTPROC_HOME/keys/caSigned.key

Private key to the signed certificate for NTpE.

Configure this path as ./keys/caSigned.key in https: keyFile and httpsClient : keyFile.

$TEXTPROC_HOME/keys/caSigned.crt

The signed certificate for NTpE.

Configure this path as ../keys/caSigned.crt in https : certFile and httpsClient : certFile.

Setting certificate permissions

When setting up secure connections, ensure that all certificates and keystores are readable by the nuance user or the local system account.

(Below, the examples assume the files are in the recommended locations. Your files might have different paths and filenames.)

  • Windows: For each keystore file, right-click, select Properties, select the Security tab, and change the permissions so that the SYSTEM account has Read permission.
  • Linux: run these commands:
    # NTpE
    chown nuance:nuance  $TEXTPROC_HOME/keys/caSigned.crt
    chmod 600 $TEXTPROC_HOME/keys/caSigned.crt
    chown nuance:nuance  $TEXTPROC_HOME/keys/caSigned.key
    chmod 600 $TEXTPROC_HOME/keys/caSigned.key
     
    # Krypton
    chown nuance.nuance  $KR_DATA_DIR/config/keys/caSigned.crt
    chmod 600 $KR_DATA_DIR/config/keys/caSigned.crt
    chown nuance.nuance  $KR_DATA_DIR/config/keys/caSigned.key
    chmod 600 $KR_DATA_DIR/config/keys/caSigned.key
     
    # Resource Manager
    chown nuance.nuance $NRM_DATA_DIR/config/keys/caSigned.crt
    chmod 600 $NRM_DATA_DIR/config/keys/caSigned.crt
    chown nuance.nuance $NRM_DATA_DIR/config/keys/caSigned.key
    chmod 600 $NRM_DATA_DIR/config/keys/caSigned.key