How can we help?

My Cases

Configure a SSL Certificate For Use With Capture Appliances (ESS)
Last Updated: Nov 09, 2017 04:51PM EST

This article applies to:  Echo360 Admins


This article explains how to configure a TLS/SSL certificate for use with EchoSystem capture appliances such that the appliances' built-in web servers will use it instead of the self-signed certificate which is provided by default.


The EchoSystem capture appliances, by default, use a digital certificate which is self-signed. Because of this, all web browsers will present a warning when accessing the appliance's web server using the HTTPS protocol. By configuring the appliance to use a certificate which is issued by a well-known Certificate Authority (CA), and which is valid for the institution's domain, this warning can be eliminated.



There are several important prerequisites before a certificate can be configured for use with capture appliances:

  • The capture appliances must be assigned hostnames. If they only have an IP address without a hostname, this process will not work.
  • The certificate to be installed must be a wildcard certificate. For example, the CN attribute of the certificate must resemble: * The asterisk means that the certificate is valid for all hosts matching that pattern. So, if a particular capture appliance has the hostname then browsers would recognize that wildcard certificate as being valid for it. This also implies that the hostnames of all capture appliances must match that pattern, so it would not be possible to have two capture appliances with hostnames like and and have the same certificate be recognized as valid for both.
  • The certificate and key must be bundled together in PEM format, which is referred to on Microsoft platforms as X.509 Base64-encoded DER. This Wikipedia page provides a good summary of the format: Depending on the format in which the certificate was issued, it may need to be converted to PEM. For instance, many certificate authorities issue certificates in PKCS12 format and so conversion to PEM would be necessary. This can be accomplished using the openssl utility, but that is outside the scope of this article.
  • It is possible that the capture appliance's default trust store will not contain the root CA certificate for any given CA. The appliance's trust store can be updated in a fashion similar to the above by creating a file, ca-bundle.crt, which contains updated root CA certificates. If you suspect this is necessary for the CA in use then please contact Echo360 Technical Support.


Once these preconditions have been verified with the certificate you plan to use, this process will bundle and deploy it to the capture appliances:

  1. Create a text file named device_server.pem which contains the private key, the wildcard server certificate, and the intermediate CA certificate(s), if any (ie - concatenate these items).
    • Note: The root CA certificate should not be included in device_server.pem. The appliance's web server takes the partial chain from device_server.pem, then tries to "chase the chain" up to a root CA certificate in ca-bundle.crt.
  2. Place this file in the ${ESS_HOME}/etc directory.
  3. Click the Edit button on the Configuration -> System Settings page, then click Save without making any changes to force recalculation of all devices so that they begin to use the new certificate and key.
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found