Laager,
here is the old howto for 6.0 & &.0 ( thanks to Nick Critten )
ignore the 6.0 sections and follow the CA Cert part;
Creating SSL Certificates on SME 6.0 & 7.0
Version3.1
Nick Critten, ncrittenATgmail.com
Note: If you are running SME7, please see my new howto
Adapted from a document originally produced by Shelby L Moore,shelbymATv-cut.com
The original document is no longer at its old location, if anyone knows where it is now located please let me know
V.1.0 4th January, 2003
V.2.0 15th October, 2004
V.2.1 3rd January, 2005
v.2.2 16th April, 2005
v.3.0 7th March, 2006
v.3.1 23rd May, 2006
v.3.1.1 28th June, 2006
This is a guide to setup a Self-Signed Certificate or a CA Signed Certificate for your SME 6.x or SME7.0 Server.
This guide has been tested with all versions of SME from SME6.0 up to SME7pre3
1.0 Introduction
As previously stated, the original document was created by Shelby L Moore, I needed to create a new SSL certificate for my 6.0b3 Box, and could not find any definitive instructions anywhere, eventually I used Shelby's document (which was for SME5) and help from 2 or three forums to generate this completed document.
Considerable portions from Shelby's original document remain... I sincerely hope that they do not mind
1.1 Thanks
Obviously thanks go to Shelby, for writing the excellent document in the first place, but also to the members of the contribs.org forums, who have helped me out on numerous occasions since my starting to use SME server two or three years ago. I really must start putting more back in and helping others with problems I have overcome.. Hopefully this document is a step in the right direction.
2.0 Procedure
For those who want to get set up as quickly as possible, skip to the end for the summarised instructions, but please read through the document at least once, so that you understand what is going on!
2.1 Create a Private Key
You need to decide if you want your key to require a password. If you choose the password approach you will have to type it in every time your secure Web server starts.
Security Note: RedHat documentation says disabling the password feature for your secure Web server is a security risk. It is not recommended that you disable the password feature for your secure Web server. However SME default certificate contains no password, so I go with the no password route.
2.1.1 Private Key with Password
Create your own random key, Type in the following command:
/usr/bin/openssl genrsa -des3 1024 > /home/e-smith/ssl.key/server.key
Your system will display a message similar to the following:
Generating RSA private key, 1024 bit long modulus
........+++++++
........+++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
You now need to type in your password. For best security, your password should contain at least eight characters, include numbers and/or punctuation, and not be a word in a dictionary. Also, remember that your password is case sensitive.
You will be asked to re-type the password, to verify that it is correct. Once you have typed it in correctly, a file called server.key, containing your key, will be created.
2.1.2 Private Key without Password
So you like living on the edge. No worry, we all do at sometime. Use the following command:
/usr/bin/openssl genrsa 1024 > /home/e-smith/ssl.key/server.key
After you use the above command to create your key, you will not need to use a password to start your secure Web server.
2.2 Generate an SSL Certificate
Agian you have a choice. You can make self-signed Certificate or generate a Certificate and send it off to a CA to be signed. The advantage of the CA signed Certificate is most browser packages will then trust your certificate automatically. The disadvantage is the thing will set you back a 100+ bucks. If you are like me you don't have the money so I went with the self-signed, and it is working fine for me. You have to tell the browser to trust the Certificate and then install it on your machine, but you only have to do this one time.
2.2.1 Creating a Self-Signed SSL Certificate
Type the following command to create a self-signed Certificate:
/usr/bin/openssl req -new -key /home/e-smith/ssl.key/server.key -x509 -days 365 -out /home/e-smith/ssl.crt/server.crt
You will see the following output and you will be prompted for your password (unless you generated a key without a password):
Enter PEM pass phrase:
After you enter your password (or without a prompt if you created a key without a password), you will be asked for more information. The computer's output and a set of inputs look like the following (you will need to provide the correct information for your site, examples of these are in bold.):
NOTE: When asked for the common name, you must enter the FQDN that the users will be using to access the server. e.g. If the server is primarily an email server, you would probably put mail.domain.com If the FQDN entered by the user does not match the name on the certificate, then the client machine will not trust it.
Country Name (2 letter code) [US]:UK
State or Province Name (full name) [Some-State]:South Wales
Locality Name (eg, city) []:Cardiff
Organization Name (eg, company) [Internet Widgits]:Imaginary Company Ltd.
Organizational Unit Name (eg, section) []:IT
Common Name (your name or server's hostname) []:www.domain.co.uk
Email Address []:postmaster@domain.com
After you provide the correct information, a self-signed certificate will be created and placed in /home/e-smith/ssl.crt/server.crt
2.2.2 Creating a SSL Certificate Request to Send to a CA
Type the following command to generate a Certificate request, which you will need to send to the CA of your choice:
/usr/bin/openssl req -new -key /home/e-smith/ssl.key/server.key -out /home/e-smith/ssl.crt/server.crt
You will see the following output and you will be prompted for your password (unless you generated a key without a password):
Enter PEM pass phrase:
After you enter your password (if you set one), you will be asked for more information. The computer's output and a set of inputs look like the following (you will need to provide the correct information for your site, examples of these are in bold.)
Country Name (2 letter code) [US]:UK
State or Province Name (full name) [Some-State]:South Wales
Locality Name (eg, city) []:Cardiff
Organization Name (eg, company) [Internet Widgits]:Imaginary Company Ltd.
Organizational Unit Name (eg, section) []:IT
Common Name (your name or server's hostname) []:www.domain.co.uk
Email Address []:postmaster@domain.com
Please enter the following 'extra' attributes
to be sent with our certificate request
A challenge password []:
An optional company name []:
Do not use either of the extra attributes. To continue without entering these fields, just press [Enter] to accepts the blank default for both inputs.
When you have finished entering your information, a file named server.csr will be created. This file is your certificate request, ready to send to your CA.
After you decide on a CA, follow the instructions they provide on their website. Their instructions will tell you how to send your certificate request, and any other documentation that they require, and of course your payment to them.
They will send a certificate to you (usually by email). Save (or cut and paste) the certificate that they send you as /home/e-smith/ssl.crt/server.crt
(Thanks to Jay Farschman for pointing out a Typo Here!)
2.3 Replace old Key and Certificate
Now that we have a key and certificate created we can replace the originals created by our SME server:
The key and Certificate we just created are located in the following directories:
/home/e-smith/ssl.key/server.key
/home/e-smith/ssl.crt/server.crt
There is of course already a key and certificate in each of these directories. They are named like this server.domain.com.crt So lets first backup these files and replace them
cd /home/e-smith/ssl.key
mv servername.domain.com.key old.key
mv server.key servername.domain.com.key
cd /home/e-smith/ssl.crt
mv servername.domain.com.crt old.crt
mv server.crt servername.domain.com.crt
We then need to set the owner and group:
chown root.root /home/e-smith/ssl.key/servername.domain.com.key
chown root.root /home/e-smith/ssl.crt/servername.domain.com.crt
And finally we set the permissions:
chmod 400 /home/e-smith/ssl.key/servername.domain.com.key
chmod 644 /home/e-smith/ssl.crt/servername.domain.com.crt
2.4 Restart Your Secure Server
You can restart your secure server with the following commands: (If you chose to have a password you will be prompted to enter it.)
/etc/rc7.d/S86httpd-e-smith restart
/etc/rc7.d/S86httpd-admin start
2.5 Test Your New Certificate
Point your Web browser to say the page for webmail. The URL to access webmail with the secure server will look like this:
https://mail.domain.com/webmailIf you are using a CA-Signed certificate from a well-known CA, your browser will most likely automatically accept the certificate (without prompting for input) and create the secure connection.
Your browser will not automatically recognize your self-signed certificate, because the certificate is not signed by a CA. Simply follow the instructions provided by your browser to accept the certificate and install it. You will only have to do this one time. Once your browser accepts the certificate you should get the webmail home page. Close your browser and try accessing the page again, notice this time no security warning or prompt.
2.6
Running the following commands will update the certificates
* Configure SME database
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
* and apply the changes
signal-event console-save
reboot
2.7 Finished!
That is all there is to it. You should now have a fully functional and happy secure web server.
8 Replies
6423 Views