---
layout: page
title: Spectrum 2
---

To configure SSL support for Spectrum2 in server mode, you have to generate server-side certificate, convert it to PKCS#12 format and configure path to it in Spectrum 2 config file.

This article describes how to generate self-signed server certificate and use it in Spectrum 2.

### Setup your own CA (Certificate Authority)

	$ openssl genrsa -des3 -out my-ca.key 2048
	$ openssl req -new -x509 -days 3650 -key my-ca.key -out my-ca.crt

### Make a key and a certificate for the server

When prompted for "Common Name (eg, your name or your server's hostname) []:", add the hostname/JID of your transport (for example "localhost").

When prompted for "A challenge password []:", *do not* set it.

	$ openssl genrsa -des3 -out spectrum2-server.key 1024
	$ openssl req -new -key spectrum2-server.key -out spectrum2-server.csr
	$ openssl x509 -req -in spectrum2-server.csr -out spectrum2-server.crt -sha1 -CA my-ca.crt -CAkey my-ca.key -CAcreateserial -days 3650

### Convert server key and certficate to PKCS#12 format

When generating pkcs12 file, *do not* set the Export password. Spectrum 2 currently doesn't parse pkcs12 certificates with password.

	$ openssl pkcs12 -export -in spectrum2-server.crt -inkey spectrum2-server.key -out spectrum2-server.p12

### Set path to certificate in config file

Set the path to cert and configure certificate password if you set one for the pkcs12 file.

	[service]
	...
	cert=/etc/spectrum2/certificates/spectrum2-server.p12