Copying certificates and keys
Note: This procedure is for Dragon Voice users. Ignore it if not using Dragon Voice.
This topic shows where to store certificates and keys when setting up secure SSL communications for Dragon Voice.
For an overview of the whole procedure, see Securing connections with SSL/TLS.
- Copy the certificates and keys to these locations.
- Set permissions on the files.
Recommended locations
This table shows optional filepaths for storing certificates and keys. The locations and filenames are not required. We show them here for simplicity, and use them in subsequent examples. (These paths show Linux syntax, and you can adapt them for Windows.)
Recommended Path | Description |
---|---|
$KR_DATA_DIR/config/keys/CA.crt |
Certificate from the CA organization that signed the Krypton certificate. Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded. Configure this path as [./keys/CA.crt] in httpClient : caCertificates and https : caCertificates. Certificates are valid for a single host. For distributed deployments you acquire different certificates for each host. |
$KR_DATA_DIR/config/keys/caSigned.key |
Key to the signed certificate configured for Krypton. Configure this path as ./keys/caSigned.key in httpClient : keyFile and https : keyFile. |
$KR_DATA_DIR/config/keys/caSigned.crt |
The signed certificate for Krypton. Configure this path as ./keys/caSigned.crt in httpClient : certFile and https : certFile. |
$KR_DATA_DIR/config/keys/myhttpserver.crt |
If you use an application server as a resource for Krypton artifacts (for example, to host application grammars, DLMs, semantic models, and so on), and if the server uses a certificate that is signed by a CA organization that is not the same organization that signed the Krypton certificate, you must add the certificate of the CA that signed the http server certificate to the array value of httpClient : caCertificates. (Similarly, if the http server uses a self-signed certificate, you must add that self-signed certificate to the httpClient : caCertificates array.) For more information see Securing application servers. |
$NLE_HOME/config/caSignedNLE.jks |
Path to the service's keystore file. Used for storing the private key and the CA signed certificate for identifying the service. To create the keystore, see Creating PKCS12 keystores and Converting NLE keystores to JKS. Configure this path with https.keyStore (see Configuring NLE security). |
$NLPS_HOME/config/caSigned.p12 |
Path to the service's keystore file. Used for storing the private key and the CA signed certificate for identifying the service. To create the keystore, see Creating NLP service keystores. Configure this path with server.ssl.key-store and httpClient.keystore. |
$NRM_DATA_DIR/config/keys/CA.crt |
Certificate from the CA organization that signed the Resource Manager certificate. Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded. Configure this path as [./keys/CA.crt] in httpClient : caCertificates and https : caCertificates. Certificates are valid for a single host. For distributed deployments you acquire different certificates for each host. |
$NRM_DATA_DIR/config/keys/caSigned.key |
Key to the signed certificate configured for Resource Manager. Configure this path as ./keys/caSigned.key in httpClient : keyFile and https : keyFile. |
$NRM_DATA_DIR/config/keys/caSigned.crt |
The signed certificate for Resource Manager. Configure this path as ./keys/caSigned.crt in httpClient : certFile and https : certFile. |
$TEXTPROC_HOME/keys/CA.crt |
Certificate from the CA organization that signed the NTpE certificate. Most sites do not need to specify this property. Most CA authorities are already loaded onto hosts, and this property is only needed when the organization that generates the Speech Suite certificates is not already loaded. Configure this path as [./keys/CA.crt] in https : caCertificates and httpsClient : caCertificates. Certificates are valid for a single host. For distributed deployments you acquire different certificates for each host. |
$TEXTPROC_HOME/keys/caSigned.key |
Private key to the signed certificate for NTpE. Configure this path as ./keys/caSigned.key in https: keyFile and httpsClient : keyFile. |
$TEXTPROC_HOME/keys/caSigned.crt |
The signed certificate for NTpE. Configure this path as ../keys/caSigned.crt in https : certFile and httpsClient : certFile. |
Setting certificate permissions
When setting up secure connections, ensure that all certificates and keystores are readable by the nuance user or the local system account.
(Below, the examples assume the files are in the recommended locations. Your files might have different paths and filenames.)
- Windows: For each keystore file, right-click, select Properties, select the Security tab, and change the permissions so that the SYSTEM account has Read permission.
- Linux: run these commands:
# NTpE
chown nuance:nuance $TEXTPROC_HOME/keys/caSigned.crt
chmod 600 $TEXTPROC_HOME/keys/caSigned.crt
chown nuance:nuance $TEXTPROC_HOME/keys/caSigned.key
chmod 600 $TEXTPROC_HOME/keys/caSigned.key
# Krypton
chown nuance.nuance $KR_DATA_DIR/config/keys/caSigned.crt
chmod 600 $KR_DATA_DIR/config/keys/caSigned.crt
chown nuance.nuance $KR_DATA_DIR/config/keys/caSigned.key
chmod 600 $KR_DATA_DIR/config/keys/caSigned.key
# Resource Manager
chown nuance.nuance $NRM_DATA_DIR/config/keys/caSigned.crt
chmod 600 $NRM_DATA_DIR/config/keys/caSigned.crt
chown nuance.nuance $NRM_DATA_DIR/config/keys/caSigned.key
chmod 600 $NRM_DATA_DIR/config/keys/caSigned.key