Koozali.org: home of the SME Server

Obsolete Releases => SME Server 7.x => Topic started by: william_syd on July 14, 2006, 04:41:11 PM

Title: SSL Certificate auto replacement
Post by: william_syd on July 14, 2006, 04:41:11 PM

Does the certificate at -

Code: [Select]

/etc/httpd/conf/ssl.crt/server.crt

ever get replaced by SME at anytime ?

Title: SSL Certificate auto replacement
Post by: jfarschman on July 18, 2006, 04:58:48 PM

Yes,  It's generate when you change the server name, and I believe when it expires it is also regenerated.

Or so I am assuming.  I never tested this.

Title: SSL Certificate auto replacement
Post by: CharlieBrady on July 18, 2006, 05:29:10 PM

Quote from: "jfarschman"

Yes,  It's generate when you change the server name, and I believe when it expires it is also regenerated.

No, SME server's self-generated and self-signed certificate is elsewhere. The referenced file is never used and is never replaced or regenerated. I don't know off the top of my head where it comes from. I've never looked, and didn't know it existed until OP mentioned it.

Title: SSL Certificate auto replacement
Post by: william_syd on July 18, 2006, 06:05:39 PM

Thanks for that.

I knew the one here

Code: [Select]

/home/e-smith/ssl.crt/
got change but wasn't sure if

Code: [Select]

/etc/httpd/conf/ssl.crt/
got changed, copied and renamed to the e-smith location.

I've put together a little How-To on CA signed certs based on the RedHat manual and the above is where they put their certs.

http://no.longer.valid/phpwiki/index.php/Creating%20a%20CA%20signed%20SSL%20Certificate

Title: SSL Certificate auto replacement
Post by: CharlieBrady on July 18, 2006, 06:16:41 PM

That file is created during the installation of the mod_ssl RPM:

[root@test7 ~]# rpm -qf /etc/httpd/conf/ssl.crt/
mod_ssl-2.0.52-22.ent.centos4
[root@test7 ~]# rpm -qf /etc/httpd/conf/ssl.crt/*
mod_ssl-2.0.52-22.ent.centos4
file /etc/httpd/conf/ssl.crt/server.crt is not owned by any package
[root@test7 ~]# rpm -q --scripts mod_ssl
postinstall scriptlet (using /bin/sh):
umask 077

if [ ! -f /etc/httpd/conf/ssl.key/server.key ] ; then
/usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > /etc/httpd/conf/ssl.key/server.key 2> /dev/null
fi

FQDN=hostname
if [ "x${FQDN}" = "x" ]; then
   FQDN=localhost.localdomain
fi

if [ ! -f /etc/httpd/conf/ssl.crt/server.crt ] ; then
cat << EOF | /usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF
fi
[root@test7 ~]#