article-detail-page
knowledge
close

Voalte Platform SSL/TLS Certificate Requirements and Best Practices

The Voalte Platform system uses industry-standard SSL/TLS technology to encrypt traffic between servers and clients.

Implementation

Requirements:

  • Because Voalte Me runs on end-users’ personal devices, the certificate needs to be signed by a Certificate Authority (CA) that is trusted by default on both Android and iOS devices.
  • A self-signed or internally signed certificate will not function with the Voalte Platform system.
  • The Domain name on the certificate needs to be in a DNS zone controlled by you.

Best Practices/Notes:

  • If Voalte Me is used, the same domain name can be used for both internal and external clients, If split-horizon DNS is available (DNS names resolve differently depending on if the request came from outside or inside the hospital network)
  • If split-horizon is not an option, different external and internal names can be added to the same certificate as Subject Alternative Names.
  • Voalte Platform is compatible with wildcard certificates if you already have purchased one for other purposes.
  • Once the desired domain name(s) are chosen, Voalte Systems Engineers will generate a key and Certificate Signing Request on the target servers, eliminating the need to transfer the key over the internet.
  • We will provide the CSR to you to be signed by the trusted CA.
  • Once the signed certificate has been provided back to Voalte and validated, it will be installed and tested.
  • Alternatively, you can perform the CSR and key generation process yourself. Contact your Voalte Project team to arrange a secure channel to transfer the key file.

Frequently Asked Questions

  • Q: When downloading my signed certificate from the CA, they are asking me which web server I will be installing it on. Which should I choose?
    A: If available, "Apache" or "httpd" should be selected as the web server software. If they instead as for a format name, "PEM" or "x509" should be selected. Don't worry if you selected something else, however, most formats can be converted freely between each other. If you have questions, please reach out to your Voalte Implementation team for more details.
  • Q: Do I need to send a 'CA bundle' or 'Intermediate Chain' to Voalte as well?
    A: If available, yes! The easiest and most accurate way of constructing a trust-chain is to get it directly from the CA when downloading the signed certificate. If you are unsure or didn't receive one from the CA, Voalte can re-construct it ourselves, however that may delay the installation because of additional testing it requires.
  • Q: Which TLS versions does Voalte support/Can we configure the Voalte Platform server to disallow certain ciphers and protocol versions as specified by our Information Security team?
    A: Starting with Voalte Platform server version 3.7, the default configuration is allowing TLSv1.2 *only*, along with the 'Intermediate' cipher list as published by the Mozilla Foundation. Depending on the devices, operating systems, and applications in your deployment, further customization/hardening is possible. Please reach out to Voalte Technical Support if you have questions on a specific configuration. Note that *all* changes to SSL/TLS configuration need to be tested onsite by an authorized customer representative before being deployed into a production environment.
  • Q: Can I use an internally-signed certificate?
    A: No, certificates need to be signed by a third party CA on the trusted list of both Google and Apple for their mobile platforms.