skip to main content
Technical Operations > ICE Server > Special considerations for ICE Desktop for Web > Certificate Concerns
Certificate Concerns
The Rallypoint acts as a server that the browser must establish a connection to using a secured HTTPS connection. Successfully establishing a connection requires that the Rallypoint present a trusted server identity certificate to the browser. This implies that the Rallypoint must be configured with a certificate and private key and the certificate must be issued by an authority trusted by browsers connecting to it.
For Rallypoints deployed inside the ICE Server (i.e., those created at the time of installation), the ingress server identity certificate and key will be used as the identify certificate of the Rallypoint. Recall that the server identity certificate is supplied as the first certificate in the PEM bundle entered in the ICE OS Configuration Wizard (on the TLS page).
When using a widely accepted ingress certificate (one issued by a common, commercial certificate authority) this should work out of the box. However, for administrators using an 'enterprise' certificate issued by their IT department (sometimes mistakenly called a 'self-signed' certificate), things get complicated.
As of this writing, the Rallypoint is limited to providing browser clients only the identity certificate, and not the chain of authorities used to issue to it. This has the following limitation:
The root CA certificate AND every intermediate certificate in the signing chain must be installed and trusted by the browser.
The process for installing and trusting a certificate is platform-dependent (see this article for Windows and macOS instructions).
WARNING
If you do not install/trust all intermediate certificates in the chain, the ICE Desktop for Web application will appear to work without visible warning, but all channels will display 'Channel not available on web' irrespective of how they are configured. This problem occurs because of the way the Engage media engine establishes trust with the Rallypoint.
Typically, an administrator only needs to install and trust the root CA certificate on a client system to allow the browser to navigate to a site without receiving a security error. This works because most web servers will present the browser with the entire certificate chain required to validate the identity certificate. As long as the root certificate in the chain is already present and trusted on the client system, the browser will be able to verify each link in the signing chaining from the server identity to the root CA. However, the Rallypoint only supplies its server identity certificate to the client, NOT the entire chain.
This functions correctly, but only if the identity certificate was issued directly by a trusted root CA installed on the client system. If there is a delegated authority (an 'intermediate certificate') in the chain, as is commonly the case, then the client browser will NOT be able to verify the Rallypoint’s certificate unless each of the intermediate certificates and root certificate are all installed and trusted by the client.
This is true even when the web server (the server hosting the ICE Desktop for Web application) has presented the entire chain to the browser when loading the page. This is because the connection between the channel and its Rallypoint is distinct from the connection to the web server and the trust between the web application and the Rallypoint must be established independently.