Installation of certificates in Remote Dictation Service environments

When the dictation server is not in the Invox Dictation cloud network, it does not have a certificate validated by a certification authority (CA), so it is necessary to include one.

• If a certificate validated by a trusted CA is available for the client machines, it must be included in the dictation server.
• If a certificate validated by a trusted CA is not available, it is possible to use one generated by an own CA, in which case the own CA must be installed on the client machines.

You need to have OpenSSL 1.1.0g or higher installed. OpenSSL is installed on most Linux distributions; for Windows it can be downloaded from:

• https://wiki.openssl.org/index.php/Binaries
• https://slproweb.com/products/Win32OpenSSL.html

Install on the dictation server

1. Access the folder C:\Program Files\Vócali\Invox Medical Dictation Server on the machine where the server is located.
2. In that folder, edit the ServerWS.exe.config file to indicate the certificate to be used:

   <certificate filePath="name-of-certificate.pfx" password="its-password" isEnabled="true" />
   

   Copy to clipboard
   
   or

   <certificate storeName="Root" thumbprint="available-in-certificates-in-certlm.msc" storeLocation="LocalMachine" />
   

   Copy to clipboard
3. After this modification, restart the Invox Dictation Server.

Create certification authority

1. Private key generation:

   openssl genrsa -des3 -out myCA.key 2048
   

   Copy to clipboard
   
   It will ask for a password. It is advisable to set one so that a possible attacker cannot generate certificates without consent.
2. Generation of the CA root certificate:

   openssl req -x509 -new -nodes -key myCA.key -sha256 -days 1825 -out myCA.pem
   openssl x509 -outform der -in myCA.pem -out myCA.crt
   

   Copy to clipboard

After these two steps you will have three files:

• myCA.key — private key
• myCA.pem — root certificates for macOS
• myCA.crt — root certificates for Windows

Create certificate

1. Generation of the private key:

   openssl genrsa -out server.key 2048
   

   Copy to clipboard
2. Certificate solicitation:

   openssl req -new -key server.key -out server.csr
   

   Copy to clipboard
3. Configuration. Create a plain text file named config.ext with the following content:

   authorityKeyIdentifier=keyid,issuer
   basicConstraints=CA:FALSE
   keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
   subjectAltName = @alt_names
   
   [alt_names]
   DNS.1 = computer-name
   DNS.2 = computer-name
   

   Copy to clipboard
   
   Where computer-name is the DNS of the dictation server.
   It is not possible to indicate the IP as the computer name — you must use the DNS name.
4. Creation of the certificate:

   openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial -out server.crt -days 1825 -sha256 -extfile config.ext
   
   openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
   

   Copy to clipboard