Installing system certificates remotely on DSCS9X devices

User Stories and Project Showcase Guides
1

Introduction

While working with our DSCS9X devices, I encountered a problem that Xibo refused to display a specific page, it stayed blank for the entire duration. Opening the link in the browser revealed what the underlying problem was: ERR_CERT_AUTHORITY_INVALID. Turns out that the page was served with a self signed certificate.

Installing the certificate in the user store unfortunately did not resolve the issue, which led me to dig deeper. I discovered that the certificate needed to be installed in the system store to be trusted by the player.

After some experimentation, I found a way to remotely install the self-signed certificate into the system store, which resolved the error and allowed the Xibo player to display the page on all our DSCS9X devices.

Keep in mind these steps must be followed again every time the certificate gets renewed.

Export the certificate from the website

  1. Open the website in your browser (on a desktop computer).
  2. Click the padlock icon in the address bar and select “Connection is secure” → “View certificates”.
    Note: Icons and menu names may vary depending on the browser you are using.
  3. In the certificate window, navigate to the Details tab.
  4. Click on Export.
  5. Choose the format Base64 Encoded.
  6. Save the file to your machine.

Look up the hash with OpenSSL

Certificates in the system store are required to have the following format: hash.0

  1. Install OpenSSL if you don’t have this already
  2. Change to the directory containing the certificate file.
  3. Run the following command:

Ensure that certificate.crt matches the name of your actual certificate

openssl x509 -in certificate.crt -subject_hash_old -noout

This command returns the hash of the certificate. This is important to note down.

  1. Rename the certificate to the hash and change the file extension to .html.
    Example: 9a5ba575.html

Xibo does not accept .crt or .0 as a valid file type. We give it a temporary extension in order to upload it to the Xibo CMS.

Upload the certificate to Xibo CMS

  1. Open your Xibo CMS in a web browser.
  2. Navigate to the Media page.
  3. Upload the certificate file (with a .html extension) to the CMS.
  4. After uploading, note the ID assigned to the file, you will need this ID later when creating the command for remote installation.

Check your storage settings

As we will be assigning the file to the DSCS9X device, it’s important to know where the file is stored before we create the command. The following two options should work for most people:

  • Internal storage: (default)
    /data/data/uk.org.xibo.client/files/ID.html

  • External storage:
    /storage/emulated/0/Android/data/uk.org.xibo.client/files/ID.html

Set up the command

You will need to modify the example listed below to match your specific scenario.

  1. Navigate to the Commands page in your management interface.
  2. Click Add Command.
  3. Enter a name for the command. This can be anything descriptive.
  4. Provide a reference label, such as SELFSIGNEDCERT, for easy identification.
  5. Modify the command template to match your scenario. You will need two pieces of information:

  • INPUT-SOURCE
    the certificate file you uploaded to the CMS (e.g., 1140.html)
    Keep in mind you need to use the ID that is assigned to the file.

  • INPUT-CERTIFICATE
    The filename needs to be the hash from OpenSSL, and must end with .0 (e.g., 9a5ba575.0)
    Important: INPUT-CERTIFICATE must be replaced three times in the command below.

mount -o remount,rw / && cp /data/data/uk.org.xibo.client/files/INPUT-SOURCE /system/etc/security/cacerts/INPUT-CERTIFICATE && chmod 644 /system/etc/security/cacerts/INPUT-CERTIFICATE && chown root:root /system/etc/security/cacerts/INPUT-CERTIFICATE && mount -o remount,ro / && reboot
  1. Ensure the command is set to be available on Android only.

Extra: Uninstall command

As you need to repeat this process everytime the certificate gets renewed, it would be wise to remove the expired certificate from the players before installing the new one.

Make sure to also modify INPUT-CERTIFICATE as described in the previous step.

mount -o remount,rw / && rm /system/etc/security/cacerts/INPUT-CERTIFICATE && mount -o remount,ro / && reboot

Upload the certificate to the desired players

  1. Navigate to the Displays page.
  2. Find the display you would like to assign the file to.
  3. Click on the white square with an arrow to open the options menu.
  4. Select the option Assign Files.
  5. Search for your certificate ending with .html.
  6. Confirm the assignment.

It’s important that you wait for the file to be on the device before executing the command. You can check this in the options and select Manage at the top. Here you can see if the file successfully made it to the device.

Run the command

  1. Choose the same player where the certificate were assigned to.
  2. Click on the white square with an arrow to open the options menu.
  3. Select Send Command.
  4. Pick the command you created for the certificate.
  5. Send the command to the player.

The player will reboot after executing the command.

For a command to execute, XMR must be functioning and properly configured. Alternatively, you can schedule the command using the calendar.

Confirm if the certificate got installed in the system store

  1. Head to the Android settings of your DSCS9X device.
  2. Click on Security & Location.
  3. Choose Trusted credentials.
  4. Scroll trough the system store and identify if the certificate got installed.

Additionally you can check if the Xibo player now displays the page that gave the certificate error.

2 Likes