Topic: Buying a certificate, how do I install it

[Kobus]

Hi

I am biuybg a certificate for my SME server, can anybody tell me how to install it on my sme server installation please. Searching the forums and the FAQ does not produce anything useful.

Thanks

Kobus

[David Harper]

The closest thing we have to a howto is http://wiki.contribs.org/Custom_CA_Certificate, although this only deals with cacert.org.

The one time I tried to trial a commercial certificate I found that because some authorities now insist on installing an intermediate certificate as well as your commercial one, the issues presented exceeded the scope of the above tutorial, and I gave up.

So my advice is twofold when selecting a commercial certificate:

1. Make sure that there are no intermediate certificates required. You should not have to install any certificate other than the one created specifically for your server.
2. Make sure that the seller offers full installation support AND money back if they can't make the certificate work. The better certifying authorities offer full support to get your certificate installed - and you may end up requiring it.

[william_syd]

David,

Do these bugs help with the intermediate certificate issue?

http://bugs.contribs.org/show_bug.cgi?id=1779
http://bugs.contribs.org/show_bug.cgi?id=4450

[trschober]

I have managed to install a custom certificate (with intermediate certs, too!)

this outlines the basic procedure

First of all, generate the CSR and get it approved and get your .crt and .key from your CA. You also have to get the intermediate certificate "intermediate.crt"
once you get those, copy your .crt and your intermediate.crt to /home/e-smith/ssl.crt/ and your .key to /home/e-smith/ssl.key/

you can unencrypt your key so it doesn't ask for the passphrase on every boot with

Code: [Select]

openssl rsa -in yourkey.key -out unecryptedkey.key
then you have to

Code: [Select]

config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/intermediate.crt
config setprop modSSL crt /home/e-smith/ssl.crt/yourcert.crt
config setprop modSSL key /home/e-smith/ssl.key/yourkey.key
Now we have to modify the template to get the mail certificate right.

Code: [Select]

cp /etc/e-smith/templates/home/e-smith/ssl.pem/40crt /etc/e-smith/templates-custom/home/e-smith/ssl.pem/41intermediateCrt
nano /etc/e-smith/templates-custom/home/e-smith/ssl.pem/41intermediateCrt
Modify lines 5 and 8 so they look like this

Code: [Select]

5        my $crt = $modSSL{'CertificateChainFile'};
8        $crt = "/home/e-smith/ssl.crt/intermediate.crt";

now apply changes

Code: [Select]

# signal-event domain-modify
# signal-event email-update
this should not be needed, but just in case, here it is

if apache can't get the certs right, you have to create new templates (copy these files to /etc/e-smith/templates-custom and modify those copies) from

Code: [Select]

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificateChainFile
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCertificateFile

and modify the part that says

Code: [Select]

    my $crt = $modSSL{'crt'} ||
        "/home/e-smith/ssl.crt/${SystemName}.${DomainName}.crt";

    my $key = $modSSL{'key'} ||
        "/home/e-smith/ssl.key/${SystemName}.${DomainName}.key";
to look like:

Code: [Select]

    my $crt = $modSSL{'crt'} ||
        "/home/e-smith/ssl.crt/yourcert.crt";

    my $key = $modSSL{'key'} ||
        "/home/e-smith/ssl.key/yourkey.key";

[Kobus]

Hi

Thanks for this, as soon as I get it i will definately give it a try.

Kobus

[cactus]

Did you ever see this bug: http://bugs.contribs.org/show_bug.cgi?id=1779 ? AFAIK this should be supported out of the box

[janet]

trschober

Your suggested method of creating adjustments within the /etc/e-smith/templates tree, is a wrong thing to do, and promotes others to also do the wrong thing.

The idea is to leave existing templates unchanged, and make custom template versions in the /etc/e-smith/templates-custom tree, which will override the original templates when expanded.
If the fragment name is the same, then the fragment template in /etc/e-smith/templates-custom tree, will take precedence over the same fragment in the /etc/e-smith/templates tree.

You can easily return your server to default (and get yourself out of trouble) by deleting the custom templates in /etc/e-smith/templates-custom, plus of course expand templates & restart services.

Your instruction would better read:

cp /etc/e-smith/templates/home/e-smith/ssl.pem/40crt /etc/e-smith/templates-custom/home/e-smith/ssl.pem/41intermediateCrt

nano /etc/e-smith/templates-custom/home/e-smith/ssl.pem/41intermediateCrt

The same concept applies for other suggestions re editing templates.

Please change your original post to reflect this correct approach, so that others do not copy and perpetuate your "not recommended" approach.

Thanks

[trschober]

sure no problem, I will edit it now

[electroman00]

sure no problem, I will edit it now

Also once a few report back that all is well consider adding a wiki page in the "How To" section..... Page Name suggested "Certificates Commercial".