Skip to main content
OCLC Support

Configure CONTENTdm with SSL to support HTTPS

SSL support for custom CONTENTdm URLs and responsive websites

If you have configured a custom CONTENTdm URL in your institution’s domain and you are using the responsive CONTENTdm website, you must take action so it can be configured to work with HTTPS. Without HTTPS support your users will get warnings that your CONTENTdm site is not secure.

To configure your custom CONTENTdm URL for HTTPS, OCLC enters information about your custom CONTENTdm URL’s SSL certificate into its systems. The information about your SSL certificate is carried in a file called the PKCS #12 file.

Your IT staff must generate your PKCS #12 (or .p12 or .pfx) file, because it requires access to your private encryption keys and your SSL certificate files. The organization from which you purchased an SSL certificate typically will provide tools to generate a PKCS #12 file for sharing.

 Note: 

  • OCLC cannot procure or purchase an SSL certificate for a custom CONTENTdm URL in your institution’s domain.
  • OCLC cannot generate this PKCS #12 file for you. Some websites suggest that you must generate the PKCS #12 file on the machine where you will install it. This is not true. The PKCS #12 file can be prepared on any machine or operating system.
  • Do not send any files to OCLC besides your PKCS #12 file. Sending anyone your private key file or other associated SSL certificate files is a grave security risk for your institution.
  • Do not send a Certificate Signing Request (CSR) to OCLC or ask OCLC staff to generate a CSR for you. OCLC does not provide CSR services. Like the PKCS #12, a CSR does not need to be generated on the web server that runs CONTENTdm.

Or you may want to take the easy path described in Custom CONTENTdm URLs.

Your IT staff can generate a PKCS #12 file using the OpenSSL command on any machine that has access to your private keys. For a hypothetical CONTENTdm site domain, digital.hawkins.edu, the command line options to generate the corresponding PKCS #12 file are:

openssl pkcs12 -export -out mycert.p12 -inkey hawkinspkey.pem -in
digitalhawkinscert.pem -certfile intermediatecert.pem

In the above example, mycert.p12 is the file name of the encrypted PKCS #12 file. Your PKCS #12 file is the only thing that you should send to OCLC.

The other files used in this command are:

  • hawkinspkey.pem: the private key file
  • digitalhawkinscert.pem: the domain certificate file
  • intermediatecert.pem: the certificate file that associates the domain certificate to the root certificate authority (CA)

Frequent areas of difficulty with SSL certificate creation and management include accessing the private key and generating the CSR, since it references the private key. Either your SSL provider will give you a private key, or you can generate your own private key file. Always protect outside access to your private key. As long as the private key used in your CSR matches the private key used when the SSL and intermediate certificates are generated, and then everything should work. Your SSL provider may give you an online tool to generate the CSR and private key, or you can use OpenSSL to generate one. The OpenSSL command to create a CSR would look like this:

openssl req -nodes -newkey rsa:2048 -sha256 -keyout example.key -out example.csr

If your SSL provider gives you individual .crt or .pem files or a package file like .p7b (PKCS #7), you have some of the individual component pieces of the PKCS #12 package. A summary of the various SSL components can be found in a DigiCert knowledge base article.

 Note: Be certain to track the expiration date of your SSL certificate. When the certificate expires, you will need to repeat the certificate generation process and send a new PKCS #12 file to OCLC to continue access to your CONTENTdm site. Allow for a month to prepare the updated PKCS #12 file, deliver it to OCLC Support, and then schedule its installation.

Or you may want to take the easy path described in Custom CONTENTdm URLs.

Once you have created your SSL certificate, follow the instructions described in Advanced: Use a URL in your institution’s domain to complete the process.

SSL support for custom CONTENTdm URLs and version 6.x websites

OCLC does not support HTTPS for the legacy 6.x website. There are several code changes and internal libraries that need to be updated to work with modern SSL standards, and we are no longer making improvements to version 6.x.

 

  • Was this article helpful?