Jump to: navigation, search

Managing Recording Certificates


The Genesys Interaction Recording Key Management System has three responsibilities:

  1. Provision public and private keys for voice and screen recordings.
  2. Store the private key securely in encrypted form in a database.
  3. Decrypt the recorded audio or screen recording file using the encrypted session key that is associated with the recording.

It is your responsibility to store your private keys and certificates, including the expired ones.

This section describes how to manage the Recording Certificates in your Genesys Interaction Recording solution.

Provisioning Certificates

Before you can encrypt certificates for voice and screen recordings, you must generate the following keys and certificates:

  • A certificate for the Certificate Authority (CA) in .pem format.
  • A recording certificate (also known as public key) in .pem X.509 RSA format.
  • A recording private key in .pem format.

Generating the Certificates and Keys

Genesys recommends that the recording certificate that you want to use for Genesys Interaction Recording encryption be signed by a single trusted third-party CA (no chained certificates).

Chained certificates are certificates where the trusted third-party CA is used to sign the intermediate CA certificate, and the intermediate CA certificate is then used to sign the user certificate. Currently, this type of certificate chaining is not supported.

This certificate must meet the following requirements:

  • 2048-bit RSA (or higher; please align encryption strength requirements with your IT Security)
  • x509 certificate
  • PEM format
  • The certificate must be signed by a trusted third-party Party CA, self signed or signed by your own private CA
  • The certificate signing request provided to the third-party CA must contain the Subject Name, Serial Number, Subject DN, and Issuer DN. You might be contacted by the third-party CA who might ask for additional information
  • The certificate validity period of the certificate determines when the next certificate needs to be generated for renewal

The following OpenSSL command to generate certificate signing request and private key is an example:

openssl req -nodes -newkey rsa:2048 -keyout private_key.pem -out cert.req -days <validity period>

The system prompts for DN fields to be filled in. Please fill in all of them. See the table below for the details.

DN Field Explanation Example
Common Name Name of your Recording Solution Interaction Recording
Organization The exact legal name of your organization. Do not abbreviate your organization name. Monster & Sons, Inc.
Organization Unit Section of the organization. Robot Repairs
City or Locality The city where your organization is legally located. Pleasant Hill
State or Province Full state or province where your organization is legally located. California
Country The two-letter ISO abbreviation for your country. US

The files will have the following:

  • private_key.pem— the private key that is used to decrypt the recordings. It must be kept safe and should not be shared.
  • cert.req— the certificate signing request for the third-party CA that signs the request and provides the public key certificate to be used to encrypt the recordings.

Recording Certificates Screen for Uploading Keys

The Platform Administration section of the Genesys Hub is the tool you use to manage your recording certificates (public keys), and private keys.

The Recording Certificates screen displays the list of defined Recording Certificates. To refresh the list at any time, click Gir refresh.png.

Gir certlist.png

Click a Recording Certificate in the list to display its details.

Gir certdets.png

To filter the contents of this list, type the name or partial name of the object in the Quick Filter field.

To sort the Recording Certificates, click on a column heading. Click the heading a second time to reverse the order.

You can perform the following tasks on this screen:

  • Upload new certificates.
  • Delete certificates.
    Deleting these certificates or keys will make these uniquely-encrypted recordings unplayable. Losing this private key will result in a loss of recordings. If you must delete a certificate or key, contact Genesys Customer Care.

All of the following steps should be performed by an administrator at the customer's site

Encrypting Voice Recordings

The following steps describe how you can configure encryption for voice recordings.

Uploading Recording Certificates

When configuring the Recording Lifecycle Scheduler for a specific tenant, you must log into GAX using a user account belonging to the tenant.

To upload a new certificate:

  1. From the Genesys Hub, select Platform Administration, and log in as the user with permissions to create certificates.
  2. Navigate to Administration > Certificates.

    Voice certificate.png
  3. On the Recording Certificates panel, click Upload.

    Voice upload2.png
  4. On the Upload Certificate panel, in the Certificate File section, click Choose File.
  5. Select the recording certificate. This file must contain an X.509 RSA certificate in PEM format. The Subject Name, Serial Number, Subject DN, and Issuer DN fields automatically populate.
  6. In the Key File section, click Choose File.
  7. Select the private key. The file must contain an RSA private key in PEM format. The encoding can be in either OpenSSL RSA private key or PKCS8 format. The Key Details field automatically populates.

    Voice upload.png
  8. If the private key file is encrypted, enter the Private Key Password.
  9. Click Save.
  • If you upload and/or delete recording certificates in one Platform Administration session, these changes are not reflected in another Platform Administration session. You must log out and login again to the second Platform Administration session.
  • Once you have successfully uploaded the recording certificates, you must contact Genesys and ask to have the certificate assigned to your IVR Profile to enable encryption for voice calls. You must also provide Genesys with the CA certificate (or the recording certificate if it is self-signed).

To enable encryption for screen recordings, follow the instructions below (after completing the upload step above).

Encrypting Screen Recordings

The Screen Recording Certificates screen enables you to add or remove certificates for screen recordings. Use the steps described in the sections below to configure encryption for screen recordings.

Assigning Screen Recording Certificates

To assign a new certificate:

  1. In the header, go to Administration > Screen Recording Certificates.
  2. On the Screen Recording Certificates panel, click Add.
  3. From the Select Certificate window, perform one of the following actions:
    • Select the check box next to the appropriate certificate, and click Add.
    • Click Cancel to discard any changes.
  4. Perform one of the following actions:
    • Click the Save button to accept the changes.
    • Click the Cancel button to discard the changes.

Removing Screen Recording Certificates

To remove a Recording Certificate, perform the following actions:

  1. In the header, go to Administration > Screen Recording Certificates.
  2. On the Screen Recording Certificates panel, select the check box next to the certificate that you want to remove.
  3. Click Remove.
  4. Perform one of the following actions:
    • Click the Save button to accept the changes.
    • Click the Cancel button to discard the changes.
  • If you remove a certificate from the Screen Recording Certificates, you will turn off encryption, and screen recordings will no longer be encrypted.
  • If encryption is turned off, existing recording files are not modified, allowing for decryption of those existing files to continue.
This page was last edited on November 11, 2019, at 14:00.


Comment on this article:

blog comments powered by Disqus