SSL Setup

1 post / 0 new
SSL Setup

VirtualHere supports Secure Sockets Layer (SSL) for Client/Server communications. This is useful when sharing USB devices over the Internet to provide better protection against eavesdropping. Both Server Certificates and optionally Client SSL Certificates are supported.


  • Make sure you are running the latest VirtualHere Server and VirtualHere Client as the settings below are applicable to the latest versions
  • If there are SSL configuration problems, errors will be displayed in syslog on the server, and System Messages on the client
  • SSL support requires the server be purchased
  • VirtualHere runs SSL on port 7574

Prerequisites (using OpenSSL)

Generate a self-signed CA (skip this if you are using a commercial CA)
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl x509 -in ca.crt -out ca.pem -outform PEM

Generate the self-signed server certificate (or purchase one from a Certificate Authority)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
cat server.key server.crt > server.pem

For the VirtualHere USB Server For Linux/Windows/OSX

  • Make sure the VirtualHere Server is not running
  • Edit the server config.ini file
  • Add the setting sslCert and set it to the full path of server.pem generated above
  • Save the config.ini file and start the VirtualHere Server

If you are using the VirtualHere Android Server

  • Copy the server.pem file to the SD card storage on your Android device, or to for example Google Drive.
  • In the VirtualHere App, click on the Menu -> SSL...-> Load Cert-> Select the server.pem from the location you saved the file to in the previous step

When the Server starts, the VirtualHere client will automatically connect to the VirtualHere Server using TLSv1.2 over the default SSL port of 7574. If you are not using "Auto-Find" you need to enter the server details in the "Specify Hubs.." menu item with a port of 7574.

Note: when running the client as a service you cannot use any SSL pem file that requires a password

On the client: Save the server certificate CA file on the client computer and add the parameter SSLCAFile=/path/to/ca.pem under the [General] section of the client vhui.ini configuration file. That Certificate Authority will be added to the client trusted list. If you do not add this parameter, then the server certificate will not be verified, and the SSL connection will not continue

If you want to use client certificates

Generate a self-signed client certificate (or obtain one from a CA)
Generate the client private key:
With passphrase : openssl genrsa -des3 -out client.key 2048 or without passphrase openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
cat client.key client.crt > client.pem
Edit the VirtualHere Client configuration file
Specify the full path to the Client certificate file generated above, by using SSLClientCert=c:/path/to/client.pem in the [General] section
Save the Client configuration file and start the client

Stop the server and edit the config.ini and add the settings
Start the server

Note: If you want to use specific client certificates for particular connections then you need to qualify the client certificate path with the server hostname colon port and the pipe symbol. If a path name is not qualified it will be used for all other connections. Use a comma to separate entries, for example:


Revoking Client Certificates

There is support in the server to revoke client certificates using CRL's. To do this, add the parameter SSLUseCRL=1 in the server config.ini. When a client certificate requires revoking, append its CRL in PEM format to the ca.pem file specified in the SSLCAFile parameter. When updating the ca.pem file you do not need to stop the server, it will pick up the revocation automatically when the file changes.