Managing Recording Certificates

Overview

The Genesys Interaction Recording Key Management System has three responsibilities:

1. Provision public and private keys for voice and screen recordings.
2. Store the private key securely in encrypted form in a database.
3. Decrypt the recorded audio or screen recording file using the encrypted session key that is associated with the recording.

This section describes how to manage the Recording Certificates in your Genesys Interaction Recording solution.

Provisioning Certificates

Before you can encrypt certificates for voice and screen recordings, you must generate the following keys and certificates:

• A certificate for the Certificate Authority (CA) in .pem format.
• A recording certificate (also known as public key) in .pem X.509 RSA format.
• A recording private key in .pem format.

Generating the Certificates and Keys

Genesys recommends that the recording certificate that you want to use for Genesys Interaction Recording encryption be signed by a single trusted third-party CA (no chained certificates).

This certificate must meet the following requirements:

• 2048-bit RSA (or higher; please align encryption strength requirements with your IT Security)
• x509 certificate
• PEM format
• The certificate must be signed by a trusted third-party Party CA, self signed or signed by your own private CA
• The certificate signing request provided to the third-party CA must contain the Subject Name, Serial Number, Subject DN, and Issuer DN. You might be contacted by the third-party CA who might ask for additional information
• The certificate validity period of the certificate determines when the next certificate needs to be generated for renewal

The following OpenSSL command to generate certificate signing request and private key is an example:

openssl req -nodes -newkey rsa:2048 -keyout private_key.pem -out cert.req -days <validity period>

The system prompts for DN fields to be filled in. Please fill in all of them. See the table below for the details.

The files will have the following:

• private_key.pem— the private key that is used to decrypt the recordings. It must be kept safe and should not be shared.
• cert.req— the certificate signing request for the third-party CA that signs the request and provides the public key certificate to be used to encrypt the recordings.

Recording Certificates Screen for Uploading Keys

The Platform Administration section of the Genesys Hub is the tool you use to manage your recording certificates (public keys), and private keys.

The Recording Certificates screen displays the list of defined Recording Certificates. To refresh the list at any time, click .

Click a Recording Certificate in the list to display its details.

To filter the contents of this list, type the name or partial name of the object in the Quick Filter field.

To sort the Recording Certificates, click on a column heading. Click the heading a second time to reverse the order.

You can perform the following tasks on this screen:

• Upload new certificates.
• Delete certificates.
  Important

  Deleting these certificates or keys will make these uniquely-encrypted recordings unplayable. Losing this private key will result in a loss of recordings. If you must delete a certificate or key, contact Genesys Customer Care.

All of the following steps should be performed by an administrator at the customer's site

Encrypting Voice Recordings

The following steps describe how you can configure encryption for voice recordings.

Uploading Recording Certificates

To upload a new certificate:

1. From the Genesys Hub, select Platform Administration, and log in as the user with permissions to create certificates.
2. Navigate to Administration > Certificates.
   
   
3. On the Recording Certificates panel, click Upload.
   
   
4. On the Upload Certificate panel, in the Certificate File section, click Choose File.
5. Select the recording certificate. This file must contain an X.509 RSA certificate in PEM format. The Subject Name, Serial Number, Subject DN, and Issuer DN fields automatically populate.
6. In the Key File section, click Choose File.
7. Select the private key. The file must contain an RSA private key in PEM format. The encoding can be in either OpenSSL RSA private key or PKCS8 format. The Key Details field automatically populates.
   
   
8. If the private key file is encrypted, enter the Private Key Password.
9. Click Save.

To enable encryption for screen recordings, follow the instructions below (after completing the upload step above).

Encrypting Screen Recordings

The Screen Recording Certificates screen enables you to add or remove certificates for screen recordings. Use the steps described in the sections below to configure encryption for screen recordings.

Assigning Screen Recording Certificates

To assign a new certificate:

1. In the header, go to Administration > Screen Recording Certificates.
2. On the Screen Recording Certificates panel, click Add.
3. From the Select Certificate window, perform one of the following actions:
   • Select the check box next to the appropriate certificate, and click Add.
   • Click Cancel to discard any changes.
4. Perform one of the following actions:
   • Click the Save button to accept the changes.
   • Click the Cancel button to discard the changes.

Removing Screen Recording Certificates

To remove a Recording Certificate, perform the following actions:

1. In the header, go to Administration > Screen Recording Certificates.
2. On the Screen Recording Certificates panel, select the check box next to the certificate that you want to remove.
3. Click Remove.
4. Perform one of the following actions:
   • Click the Save button to accept the changes.
   • Click the Cancel button to discard the changes.