Namespace hcap.security

hcap.security

Defined in: hcap-1.24.6.5901.js

Namespace Summary
Constructor Attributes	Constructor Name and Description
	hcap.security

Method Summary

Method Attributes	Method Name and Description
<static>	hcap.security.existClientCertificate(param) Returns whether a client certificate was registered or not.
<static>	hcap.security.existServerCertificate(param) Returns whether a server certificate was registered or not.
<static>	hcap.security.registerClientCertificate(param) Registers a client certificate and its private key for TLS and SSL client authentication.
<static>	hcap.security.registerServerCertificate(param) Registers a server certificate to validate the keys from the HCAP server as part of a PKI (Public Key Infrastructure).
<static>	hcap.security.unregisterClientCertificate(param) Unregisters a client certificate and its private key, and deactivate the TLS authentication.
<static>	hcap.security.unregisterServerCertificate(param) Unregisters a server certificate and deactivate the TLS authentication and the host verification.

Namespace Detail

hcap.security

Method Detail

<static> hcap.security.existClientCertificate(param)

Returns whether a client certificate was registered or not.
```
hcap.security.existClientCertificate({
     "nickname" : "testclient",
     "accessCode" : "passCode1",
     "onSuccess" : function() {
         console.log("onSuccess");
     }, 
     "onFailure" : function(f) {
         console.log("onFailure : errorMessage = " + f.errorMessage);
     }
});
```
Parameters:

{Object} param
- {String} param.nickname [Required] - nickname for the client certificate.
- {String} param.accessCode [Required] - password to be used for the registration of the client certificate before.
- {Function} param.onSuccess [Optional] - success callback function.
```
  param.onSuccess = function (param) { 
      // {String} param.nickname - nickname for the client certificate.
      // {Boolean} param.exist - true if the client certificate was registered.
  }
```
- {Function} param.onFailure [Optional] - failure callback function.
```
  param.onFailure = function (param) {
      // {String} param.errorMessage - in case of failure, this message provides the details.
  }
```
Since:

1.20.0

See:

hcap.security.registerServerCertificate()
hcap.security.registerClientCertificate()
hcap.security.unregisterServerCertificate()
hcap.security.unregisterClientCertificate()
hcap.security.existServerCertificate()
<static> hcap.security.existServerCertificate(param)

Returns whether a server certificate was registered or not.
```
hcap.security.existServerCertificate({
     "nickname" : "testserver",
     "accessCode" : "passCode1",
     "onSuccess" : function() {
         console.log("onSuccess");
     }, 
     "onFailure" : function(f) {
         console.log("onFailure : errorMessage = " + f.errorMessage);
     }
});
```
Parameters:

{Object} param
- {String} param.nickname [Required] - nickname for the server certificate.
- {String} param.accessCode [Required] - password to be used for the registration of the server certificate before.
- {Function} param.onSuccess [Optional] - success callback function.
```
  param.onSuccess = function (param) { 
      // {String} param.nickname - nickname for the server certificate.
      // {Boolean} param.exist - true if the server certificate was registered.
  }
```
- {Function} param.onFailure [Optional] - failure callback function.
```
  param.onFailure = function (param) {
      // {String} param.errorMessage - in case of failure, this message provides the details.
  }
```
Since:

1.20.0

See:

hcap.security.registerServerCertificate()
hcap.security.registerClientCertificate()
hcap.security.unregisterServerCertificate()
hcap.security.unregisterClientCertificate()
hcap.security.existClientCertificate()

<static> hcap.security.registerClientCertificate(param)

Registers a client certificate and its private key for TLS and SSL client authentication.
After registration, reboot is needed.
If a client certificate is registered, TV will try to authenticate to the HCAP server with the client certificate in the modules like HCAP middleware, Ez-i and HCAP browser in charge of downloads or loads of HCAP applications.
The client certificate to register can be a self-signed certificate or a trusted CA (Certificate Authority) certificate.
Only 1 client certificate is permitted in TV. Therefore to register a client certificate when another client certificate was registered, revoke(unregister) the registered client certificate first, and register the new client certificate. Or the registration for the new client certificate will be failed.
Please refer to the example code to create server/client self-signed certificates in hcap.security.registerServerCertificate() And register client_x86Emul.crt, client_x86Emul.key and rootCA.crt to TV as the client certificate, the client private key and the CA certificate repectively in the example code and its server environment.
urlPattern and issuerCN are needed to match the HCAP app url and its client certificate automatically in HCAP browser.

hcap.security.registerClientCertificate({
     "nickname" : "testclient",
     "certificate" : "\
Certificate:\n\
   Data:\n\
       Version: 3 (0x2)\n\
       Serial Number: 1 (0x1)\n\
   Signature Algorithm: sha1WithRSAEncryption\n\
       Issuer: C=KR, L=LGE, O=CTO CA, CN=ROOT CA\n\
       Validity\n\
           Not Before: Mar 21 06:53:26 2016 GMT\n\
           Not After : Mar 19 06:53:26 2026 GMT\n\
       Subject: C=KR, L=LGE, O=CTO, CN=x86Emul\n\
       Subject Public Key Info:\n\
           Public Key Algorithm: rsaEncryption\n\
               Public-Key: (2048 bit)\n\
               Modulus:\n\
                   00:a2:e3:4d:39:47:6f:9c:bb:7e:fb:90:43:8a:29:\n\
                   7f:3a:b2:4e:32:83:bd:1f:16:c1:0b:d2:cd:e7:22:\n\
                   33:f3:19:41:ea:db:ec:0a:3d:e9:4c:00:8c:e2:8d:\n\
                   57:d8:b0:12:af:50:66:df:6f:f5:65:d8:91:c0:a8:\n\
                   f6:87:b7:fa:ed:7c:32:bf:25:d3:18:a3:bc:3b:f8:\n\
                   0c:d5:bc:03:99:7d:c6:fd:72:d6:19:c7:3f:4c:7b:\n\
                   8f:1a:d8:c3:b6:15:01:82:99:a8:2d:b0:79:36:86:\n\
                   2a:cb:dc:43:a5:30:ab:fd:31:70:76:e4:01:67:73:\n\
                   d9:bd:7a:20:d9:49:f4:11:61:de:b9:6b:80:d5:83:\n\
                   5f:1b:e0:34:fa:af:3c:b9:26:84:1b:ca:16:a5:02:\n\
                   be:f9:fa:bc:19:f1:84:a9:13:7b:32:04:68:ba:c3:\n\
                   66:69:8a:b8:84:19:bf:15:72:df:37:68:83:cb:e5:\n\
                   4b:e2:59:8c:4e:e0:42:3b:ea:a6:39:85:1e:ae:41:\n\
                   c4:a6:17:06:a2:02:d6:c4:cb:53:0d:f7:2e:e7:28:\n\
                   20:35:a7:3e:02:9c:38:68:1c:d6:18:c0:39:24:1d:\n\
                   f2:96:c5:81:f1:c2:de:22:e0:d4:f0:02:72:9c:e8:\n\
                   c1:d0:28:46:60:1e:6d:52:78:f4:48:94:80:9b:01:\n\
                   dc:eb\n\
               Exponent: 65537 (0x10001)\n\
       X509v3 extensions:\n\
           X509v3 Basic Constraints: \n\
               CA:FALSE\n\
           Netscape Comment: \n\
               OpenSSL Generated Certificate\n\
           X509v3 Subject Key Identifier: \n\
               EE:1A:6C:59:3B:13:FA:32:A7:61:60:2A:6C:56:66:82:AB:21:CD:05\n\
           X509v3 Authority Key Identifier: \n\
               keyid:85:20:EF:03:87:EA:73:32:10:5D:B2:3B:92:42:4F:3C:66:65:6A:E0\n\
\n\
   Signature Algorithm: sha1WithRSAEncryption\n\
        92:a7:bd:83:65:de:c9:bd:cb:57:c0:46:c0:16:e7:7e:0a:e6:\n\
        67:96:ab:45:38:91:2a:6e:b8:5c:07:8a:58:0d:56:0b:79:e6:\n\
        00:c4:0e:ce:86:ae:07:cb:69:bf:24:d9:69:fe:59:b6:31:b9:\n\
        82:79:75:1a:64:41:45:2d:d9:83:c2:5b:f9:5c:80:1b:ea:1a:\n\
        14:c7:5e:9e:f9:1e:7e:1c:fc:a3:55:1b:9a:df:cd:38:f7:e9:\n\
        24:ac:ce:b0:91:93:a6:a8:45:99:c3:77:c8:e4:86:4c:8a:11:\n\
        35:27:40:f4:71:d6:84:db:7b:26:a7:d3:6c:9d:e5:d0:d7:c2:\n\
        96:dd:80:0f:99:24:0f:40:b1:65:d0:7f:87:4d:d3:36:b1:da:\n\
        a7:45:08:5a:2f:59:d9:84:11:a9:c4:77:fe:54:36:5f:47:d1:\n\
        3c:86:32:92:6d:04:77:61:51:4b:bf:17:88:0d:b0:26:41:12:\n\
        11:4f:cd:1f:50:b1:38:0d:7b:7c:3c:de:52:97:e3:e3:12:57:\n\
        6b:2a:7b:4d:ed:11:be:cd:7e:b8:e9:18:eb:78:b3:03:1f:87:\n\
        8e:ea:fa:9b:da:ab:7b:1a:4a:ba:c3:e0:10:ed:c2:e6:05:22:\n\
        97:cf:3d:96:77:b9:63:47:82:0a:d1:9c:fa:73:eb:05:e1:8e:\n\
        43:d1:87:96\n\
-----BEGIN CERTIFICATE-----\n\
MIIDbzCCAlegAwIBAgIBATANBgkqhkiG9w0BAQUFADA+MQswCQYDVQQGEwJLUjEM\n\
MAoGA1UEBwwDTEdFMQ8wDQYDVQQKDAZDVE8gQ0ExEDAOBgNVBAMMB1JPT1QgQ0Ew\n\
HhcNMTYwMzIxMDY1MzI2WhcNMjYwMzE5MDY1MzI2WjA7MQswCQYDVQQGEwJLUjEM\n\
MAoGA1UEBwwDTEdFMQwwCgYDVQQKDANDVE8xEDAOBgNVBAMMB3g4NkVtdWwwggEi\n\
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCi4005R2+cu377kEOKKX86sk4y\n\
g70fFsEL0s3nIjPzGUHq2+wKPelMAIzijVfYsBKvUGbfb/Vl2JHAqPaHt/rtfDK/\n\
JdMYo7w7+AzVvAOZfcb9ctYZxz9Me48a2MO2FQGCmagtsHk2hirL3EOlMKv9MXB2\n\
5AFnc9m9eiDZSfQRYd65a4DVg18b4DT6rzy5JoQbyhalAr75+rwZ8YSpE3syBGi6\n\
w2ZpiriEGb8Vct83aIPL5UviWYxO4EI76qY5hR6uQcSmFwaiAtbEy1MN9y7nKCA1\n\
pz4CnDhoHNYYwDkkHfKWxYHxwt4i4NTwAnKc6MHQKEZgHm1SePRIlICbAdzrAgMB\n\
AAGjezB5MAkGA1UdEwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJh\n\
dGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBTuGmxZOxP6MqdhYCpsVmaCqyHNBTAf\n\
BgNVHSMEGDAWgBSFIO8Dh+pzMhBdsjuSQk88ZmVq4DANBgkqhkiG9w0BAQUFAAOC\n\
AQEAkqe9g2Xeyb3LV8BGwBbnfgrmZ5arRTiRKm64XAeKWA1WC3nmAMQOzoauB8tp\n\
vyTZaf5ZtjG5gnl1GmRBRS3Zg8Jb+VyAG+oaFMdenvkefhz8o1Ubmt/NOPfpJKzO\n\
sJGTpqhFmcN3yOSGTIoRNSdA9HHWhNt7JqfTbJ3l0NfClt2AD5kkD0CxZdB/h03T\n\
NrHap0UIWi9Z2YQRqcR3/lQ2X0fRPIYykm0Ed2FRS78XiA2wJkESEU/NH1CxOA17\n\
fDzeUpfj4xJXayp7Te0Rvs1+uOkY63izAx+Hjur6m9qrexpKusPgEO3C5gUil889\n\
lne5Y0eCCtGc+nPrBeGOQ9GHlg==\n\
-----END CERTIFICATE-----\n",
     "key" : "\
-----BEGIN RSA PRIVATE KEY-----\n\
MIIEowIBAAKCAQEAouNNOUdvnLt++5BDiil/OrJOMoO9HxbBC9LN5yIz8xlB6tvs\n\
Cj3pTACM4o1X2LASr1Bm32/1ZdiRwKj2h7f67XwyvyXTGKO8O/gM1bwDmX3G/XLW\n\
Gcc/THuPGtjDthUBgpmoLbB5NoYqy9xDpTCr/TFwduQBZ3PZvXog2Un0EWHeuWuA\n\
1YNfG+A0+q88uSaEG8oWpQK++fq8GfGEqRN7MgRousNmaYq4hBm/FXLfN2iDy+VL\n\
4lmMTuBCO+qmOYUerkHEphcGogLWxMtTDfcu5yggNac+Apw4aBzWGMA5JB3ylsWB\n\
8cLeIuDU8AJynOjB0ChGYB5tUnj0SJSAmwHc6wIDAQABAoIBACWW9vdE+QjebAt5\n\
21xC/014YHtf04EdKyejWkkAp6RuK7wbTHmAmBol9l1B6QfkeitjDpp5p9P9CoW/\n\
eEURvCKaCsv52qFRB9t+/tdEMEB3ujg7DBWe2Yi46ulzJJcceeC9vQXuN8rRY4bw\n\
KdwxQz+G7UFClOBe59zGFlaOrnhkE1HyWIsJc6SoVBhvcHsAu313KJ/yAdboBI70\n\
PwUVyYxP7txF17PbK6yPEOq7o0q+KSBiOzxyH5qqsVmHqB2aMNO9SXRlr+ldjd7e\n\
m3eIbeR8KmMiaq5toq+o+2LfgG9nYMQEUtHqPeEG2tvpmAu3jXUU4mxL+5XZfQA9\n\
oRclCcECgYEA0APW+5lqtTg+Q4pVhHGe0uX4wpbMQkIbKBbVm9BwqSGsFtzeiV57\n\
ffTFbY6rcVfElfqBSRi0FxDglYWbZgMYdi7G/qXJmoh6CJ/UY3IHGBLdvWfE3yPz\n\
KZcPHyxRYZgTW9/BEgro/BcRY/7MKwnNryMUqW0mLm9UzmZM/p6UhVkCgYEAyHaE\n\
S90R2Po/SAXsSjbahfnaKZ5Q/4M7zdnt+IgeaK0hFb1Qp0FP1EJeLb8rZeldlWrT\n\
U9r0z0dwVrh1i4yTjG9DB8ipbkhLixt6P3eUunYkn+NEG9NZE7y/QiGrYjq6fRBw\n\
lbZJiQYcSl7BFF2xF3j4ZzzMGktkSTKaW8lFt+MCgYEAqu4M0XBu0/0khOF+hjfL\n\
V+frsxKxQ90IbbfdzYzJluF5hMv3/Y9rEMR7Gxy6WofRnaBcbpFjIvUWZyeD2569\n\
khe8I3JeKKLvDHkx0InZtHmERminyOjEnq9nmKkVMooBlmRWRZo7ezMFclLkuJT0\n\
tG6yQsrTLiMD4BsGN9BdoPkCgYBUEtC9eIQpuhqcPE+zeHoBwp4q4kkaQJHubb4O\n\
hBgs0p+TnIic/Rlb7lHNYeXzogIrzle/TY9q94038bjqxBSFy4wTUactp4h3WRjW\n\
UXLBGReXLxu7h9JOItUcCT71vafFGAX/5CnHHBb1YfQcdIb3TzbvJWJ8jK4MvPpc\n\
EHf6/QKBgH/9uM9+GZvS2iXc2KzhB+oENyWM/kJbMlfefVUu2AaBAzDdVBTDvAxd\n\
PZTdseH5K8DrVRJe8YcFnd86HE/B56PAmyP4Qo+Sslf5bc/Gmp08mMdYxWb1IwRm\n\
ndWHoUiBaeMo5QB/Oac/0bBwlOt14PO+t7TWjKHQIHvfONNrXbui\n\
-----END RSA PRIVATE KEY-----\n",
     "keyPassword" : "passcode",
     "cacert" : "\
-----BEGIN CERTIFICATE-----\n\
MIIDXzCCAkegAwIBAgIJALispfP+z4ZZMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV\n\
BAYTAktSMQwwCgYDVQQHDANMR0UxDzANBgNVBAoMBkNUTyBDQTEYMBYGA1UEAwwP\n\
amtjbG91ZC5sZ2UuY29tMB4XDTE2MDMxNzAzMDUzMFoXDTI2MDMxNTAzMDUzMFow\n\
RjELMAkGA1UEBhMCS1IxDDAKBgNVBAcMA0xHRTEPMA0GA1UECgwGQ1RPIENBMRgw\n\
FgYDVQQDDA9qa2Nsb3VkLmxnZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n\
ggEKAoIBAQCwdor7TwwIIuTI8HvOBx//cBlu+xE1L/9ZAWaIRivK/O/1Bv+jTxpx\n\
5RN9RttmJle9QS8Tx6/Wf40REt9Lnc1fUCdVILSkTrcHY4Wcc5cqvt0Uz17kcaTJ\n\
Q6Ch2wiyq2ZSj2vTQAhQfV0cpvwJTYKwXCSeL8M10KZqeU/41PITp/67MzCZF+BT\n\
gTm60UTfrc/Owe8q2yn3di7wKiuEwP5WROGa/HkOrWJfkx0DjAlO79tZoUmyd4RH\n\
C6R3ST8lbCMtttDd8JGHlCSVRf9NIQc71M88vgYY7Dh9POfCfhxkVA9/ws5h7aHt\n\
t0vAqmRN6vgFhBPhmTUp+eoUl+3nf0aVAgMBAAGjUDBOMB0GA1UdDgQWBBQkXPyq\n\
koD+LlrJgYRvkiqg5KDJJTAfBgNVHSMEGDAWgBQkXPyqkoD+LlrJgYRvkiqg5KDJ\n\
JTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCcK/JXi0aaQ1RiToTK\n\
stYpMZjTtmiDqgpdHkhsU0H2EwVW46j4xaALzLoSWx4neREJS1KPJ4Wh6PT9554S\n\
wI/9yIjiqJlsHmU3h3FxjO5NRO9Qu+o9MeLAGAJs9M49NS0TiJYo1V7beyI5ju99\n\
xs887ac5F/Axg3Pb4sX1Wo5xTB2Bw+bKMHj0Rk+9uDrGqsrPpX39R8CL0W/1ISU5\n\
ioOvHBHeyw2PzqO4KbIXrvj0dihDBWc/SltS/4htXs4JL76rA7+Byj9AUVxrm2QK\n\
gmsignOklllYUkLdIjLPyJy8tDUFTcR4oElWN+mGME4zl0x8mCaTaPf8niBw9hfI\n\
Cymj\n\
-----END CERTIFICATE-----\n",
     "urlPattern" : "https://jkcloud.lge.com",
     "issuerCN" : "ROOT CA",
     "isSelfSigned" : true,
     "accessCode" : "passCode1",
     "onSuccess" : function() {
         console.log("onSuccess");
     }, 
     "onFailure" : function(f) {
         console.log("onFailure : errorMessage = " + f.errorMessage);
     }
});

Parameters:

{Object} param

{String} param.nickname [Required] - nickname for this client certificate as 4 to 10-character string chosen from the set [a-zA-Z0-9].
{String} param.certificate [Required] - certificate string of the full contents in the client certificate file in the form of PEM (client_x86Emul.crt in above example).
{String} param.key [Required] - certificate string of the full contents in the client private key file in the form of PEM (client_x86Emul.key in above example).
{String} param.keyPassword [Required] - password string of the client private key ("passcode" in above example).
{String} param.cacert [Required] - certificate string of the full contents in the CA certificate file of the client certificate in the form of PEM (rootCA.crt in above example).
{String} param.urlPattern [Required] - url pattern string to specify sites for which HCAP browser automatically selects a client certificate if the site requests a certificate (ex. "https://jkcloud.lge.com").
{String} param.issuerCN [Required] - CommonName string of the issuer of the client certificate ("ROOT CA" in above example).
{Boolean} param.isSelfSigned [Required] - true if the client certificate is self-signed, otherwise false.
{String} param.accessCode [Required] - password as 4 to 10-character string chosen from the set [a-zA-Z0-9] to get whether this certificate is registered or not, or revoke this certificate in the future.
{Function} param.onSuccess [Optional] - success callback function.
```
  param.onSuccess = function() {
      // No Parameter. 
  }
```

{Function} param.onFailure [Optional] - failure callback function.

  param.onFailure = function (param) {
      // {String} param.errorMessage - in case of failure, this message provides the details.
  }

Since:: 1.20.0

See:: hcap.security.registerServerCertificate()
hcap.security.unregisterServerCertificate()
hcap.security.unregisterClientCertificate()
hcap.security.existServerCertificate()
hcap.security.existClientCertificate()

<static> hcap.security.registerServerCertificate(param)

Registers a server certificate to validate the keys from the HCAP server as part of a PKI (Public Key Infrastructure).
If you want to register a server certificate, the property "browser_https_security_level" should be replaced from "1" to "0".
After registration, reboot is needed.
Handling (Register/Unregister) server/client certificates must be done very carefully under the control of installer or hotelier because it is done in insecure environment.
If a server certificate is registered, TV will validate the public key from the HCAP server when TV requests resources to the HCAP server in the modules like HCAP MW, Ez-i and HCAP browser in charge of downloads or loads of HCAP applications.
The server certificate to register can be a self-signed certificate or a CA (Certificate Authority) certificate.
Only 1 server certificate is permitted in TV. Therefore to register a server certificate when another server certificate was registered, revoke(unregister) the registered server certificate first, and register the new server certificate. Or the registration for the new server certificate will be failed.

This feature was tested with following settings in Ubuntu 12.04 LTS and the apache server as the HTTPS HCAP server.
Reference : Create a CA, issue server/client certificates and test them via Apache

user@lgesccicbld28v:~/certificate$ mkdir demoCA
user@lgesccicbld28v:~/certificate$ cd demoCA
user@lgesccicbld28v:~/certificate/demoCA$ mkdir certs
user@lgesccicbld28v:~/certificate/demoCA$ mkdir csr
user@lgesccicbld28v:~/certificate/demoCA$ mkdir newcerts
user@lgesccicbld28v:~/certificate/demoCA$ mkdir private
user@lgesccicbld28v:~/certificate/demoCA$ cp ../openssl.cnf .
user@lgesccicbld28v:~/certificate/demoCA$ echo 00 > serial
user@lgesccicbld28v:~/certificate/demoCA$ echo 00 > crlnumber
user@lgesccicbld28v:~/certificate/demoCA$ touch index.txt
user@lgesccicbld28v:~/certificate/demoCA$ pwd
/home/user/certificate/demoCA
user@lgesccicbld28v:~/certificate/demoCA$ vi openssl.cnf

>>> Change dir in CA_default
[ CA_default ]

dir             = ./demoCA         # Where everything is kept
>>>>
dir             = /home/user/certificate/demoCA         # Where everything is kept

user@lgesccicbld28v:~/certificate/demoCA$ openssl genrsa -des3 -passout pass:passcode -out  private/rootCA.key 2048
Generating RSA private key, 2048 bit long modulus
...........................................................+++
......................................................+++
e is 65537 (0x10001)
user@lgesccicbld28v:~/certificate/demoCA$ openssl rsa -passin pass:passcode -in private/rootCA.key -out private/rootCA.key
writing RSA key
user@lgesccicbld28v:~/certificate/demoCA$ openssl req -config openssl.cnf -new -x509 -subj '/C=KR/L=LGE/O=CTO CA/CN=ROOT CA' -days 3650 -key private/rootCA.key -out certs/rootCA.crt
user@lgesccicbld28v:~/certificate/demoCA$ openssl genrsa -des3 -passout pass:passcode -out private/jkcloud.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
.................................................+++
e is 65537 (0x10001)
user@lgesccicbld28v:~/certificate/demoCA$ openssl rsa -passin pass:passcode -in private/jkcloud.key -out private/jkcloud.key
writing RSA key
user@lgesccicbld28v:~/certificate/demoCA$ openssl req -config openssl.cnf -new -subj '/C=KR/L=LGE/O=CTO/CN=jkcloud.lge.com' -key private/jkcloud.key -out csr/jkcloud.csr
user@lgesccicbld28v:~/certificate/demoCA$ openssl ca -batch -config openssl.cnf -days 3650 -in csr/jkcloud.csr -out certs/jkcloud.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 0 (0x0)
        Validity
            Not Before: Mar 21 06:52:38 2016 GMT
            Not After : Mar 19 06:52:38 2026 GMT
        Subject:
            countryName               = KR
            localityName              = LGE
            organizationName          = CTO
            commonName                = jkcloud.lge.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                3F:87:5F:F8:76:65:12:96:AF:D6:4B:BC:AA:FA:1E:36:76:5F:8A:FE
            X509v3 Authority Key Identifier: 
                keyid:85:20:EF:03:87:EA:73:32:10:5D:B2:3B:92:42:4F:3C:66:65:6A:E0

Certificate is to be certified until Mar 19 06:52:38 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
user@lgesccicbld28v:~/certificate/demoCA$ openssl genrsa -des3 -passout pass:passcode -out private/client_x86Emul.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................................................................................................................................................................................+++
...................................................................................................................+++
e is 65537 (0x10001)
user@lgesccicbld28v:~/certificate/demoCA$ openssl rsa -passin pass:passcode -in private/client_x86Emul.key -out private/client_x86Emul.key
writing RSA key
user@lgesccicbld28v:~/certificate/demoCA$ openssl req -config openssl.cnf -new -subj '/C=KR/L=LGE/O=CTO/CN=x86Emul' -key private/client_x86Emul.key -out csr/client_x86Emul.csr
user@lgesccicbld28v:~/certificate/demoCA$ openssl ca -batch -config openssl.cnf -days 3650 -in csr/client_x86Emul.csr -out certs/client_x86Emul.crt -keyfile private/rootCA.key -cert certs/rootCA.crt -policy policy_anything
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Mar 21 06:53:26 2016 GMT
            Not After : Mar 19 06:53:26 2026 GMT
        Subject:
            countryName               = KR
            localityName              = LGE
            organizationName          = CTO
            commonName                = x86Emul
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                EE:1A:6C:59:3B:13:FA:32:A7:61:60:2A:6C:56:66:82:AB:21:CD:05
            X509v3 Authority Key Identifier: 
                keyid:85:20:EF:03:87:EA:73:32:10:5D:B2:3B:92:42:4F:3C:66:65:6A:E0

Certificate is to be certified until Mar 19 06:53:26 2026 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated
user@lgesccicbld28v:~/certificate/demoCA$ find
.
./serial.old
./newcerts
./newcerts/00.pem
./newcerts/01.pem
./serial
./index.txt.attr
./openssl.cnf
./certs
./certs/rootCA.crt
./certs/client_x86Emul.crt
./certs/jkcloud.crt
./crlnumber
./index.txt.attr.old
./csr
./csr/jkcloud.csr
./csr/client_x86Emul.csr
./private
./private/client_x86Emul.key
./private/jkcloud.key
./private/rootCA.key
./index.txt.old
./index.txt
user@lgesccicbld28v:~/certificate/demoCA$

user@lgesccicbld28v:~/certificate/demoCA$ sudo vi /etc/apache2/sites-available/default-ssl
[sudo] password for user: 
>>> Change as following
        SSLEngine on # enable for server/client certificate

        SSLCertificateFile    /home/user/certificate/demoCA/certs/jkcloud.crt # for server certificate
        SSLCertificateKeyFile /home/user/certificate/demoCA/private/jkcloud.key # for server certificate

        SSLCACertificateFile /home/user/certificate/demoCA/certs/rootCA.crt # for client certificate

        SSLVerifyClient require # for client certificate
        SSLVerifyDepth  10 # for client certificate

user@lgesccicbld28v:~/certificate/demoCA$ sudo a2enmod ssl
Module ssl already enabled
user@lgesccicbld28v:~/certificate/demoCA$ sudo a2ensite default-ssl
Site default-ssl already enabled
user@lgesccicbld28v:~/certificate/demoCA$ sudo service apache2 restart
Restarting web server apache2                                                                                                                                                                                                                                         ... waiting                                                                                                                                                                                                                                                     [ OK ]
user@lgesccicbld28v:~/certificate/demoCA$

In above example, register rootCA.crt to TV as the server certificate with hcap.security.registerServerCertificate().
And in the server, register jkcloud.crt and jkcloud.key to SSLCertificateFile and SSLCertificateKeyFile respectively if the server is the apache server.

hcap.security.registerServerCertificate({
     "nickname" : "testserver",
     "certificate" : "\
-----BEGIN CERTIFICATE-----\n\
MIIDXzCCAkegAwIBAgIJALispfP+z4ZZMA0GCSqGSIb3DQEBBQUAMEYxCzAJBgNV\n\
BAYTAktSMQwwCgYDVQQHDANMR0UxDzANBgNVBAoMBkNUTyBDQTEYMBYGA1UEAwwP\n\
amtjbG91ZC5sZ2UuY29tMB4XDTE2MDMxNzAzMDUzMFoXDTI2MDMxNTAzMDUzMFow\n\
RjELMAkGA1UEBhMCS1IxDDAKBgNVBAcMA0xHRTEPMA0GA1UECgwGQ1RPIENBMRgw\n\
FgYDVQQDDA9qa2Nsb3VkLmxnZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw\n\
ggEKAoIBAQCwdor7TwwIIuTI8HvOBx//cBlu+xE1L/9ZAWaIRivK/O/1Bv+jTxpx\n\
5RN9RttmJle9QS8Tx6/Wf40REt9Lnc1fUCdVILSkTrcHY4Wcc5cqvt0Uz17kcaTJ\n\
Q6Ch2wiyq2ZSj2vTQAhQfV0cpvwJTYKwXCSeL8M10KZqeU/41PITp/67MzCZF+BT\n\
gTm60UTfrc/Owe8q2yn3di7wKiuEwP5WROGa/HkOrWJfkx0DjAlO79tZoUmyd4RH\n\
C6R3ST8lbCMtttDd8JGHlCSVRf9NIQc71M88vgYY7Dh9POfCfhxkVA9/ws5h7aHt\n\
t0vAqmRN6vgFhBPhmTUp+eoUl+3nf0aVAgMBAAGjUDBOMB0GA1UdDgQWBBQkXPyq\n\
koD+LlrJgYRvkiqg5KDJJTAfBgNVHSMEGDAWgBQkXPyqkoD+LlrJgYRvkiqg5KDJ\n\
JTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQCcK/JXi0aaQ1RiToTK\n\
stYpMZjTtmiDqgpdHkhsU0H2EwVW46j4xaALzLoSWx4neREJS1KPJ4Wh6PT9554S\n\
wI/9yIjiqJlsHmU3h3FxjO5NRO9Qu+o9MeLAGAJs9M49NS0TiJYo1V7beyI5ju99\n\
xs887ac5F/Axg3Pb4sX1Wo5xTB2Bw+bKMHj0Rk+9uDrGqsrPpX39R8CL0W/1ISU5\n\
ioOvHBHeyw2PzqO4KbIXrvj0dihDBWc/SltS/4htXs4JL76rA7+Byj9AUVxrm2QK\n\
gmsignOklllYUkLdIjLPyJy8tDUFTcR4oElWN+mGME4zl0x8mCaTaPf8niBw9hfI\n\
Cymj\n\
-----END CERTIFICATE-----\n",
     "enableVerifyHost" : true,
     "isSelfSigned" : true,
     "accessCode" : "passCode1",
     "onSuccess" : function() {
         console.log("onSuccess");
     }, 
     "onFailure" : function(f) {
         console.log("onFailure : errorMessage = " + f.errorMessage);
     }
});