Certificate

From SME Server
Revision as of 05:54, 19 September 2015 by RayMitchell (talk | contribs) (added mkdir command)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search


Custom Certificate for SME 7.1.3 and above versions

Information.png Tip:
The Certificate concept on SME Server is a large topic that you can learn in this dedicated wiki page


How to change your certificate

Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:

config setprop modSSL CommonName www.domain.com
expand-template /home/e-smith/ssl.key/key
expand-template /home/e-smith/ssl.crt/crt
signal-event domain-modify
signal-event email-update 

see this forum thread [1] and bug report [2]

How to set expiration time

The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS. To specify how long your SME certificate will last for, do the following:

mkdir -p /etc/e-smith/templates-custom/home/e-smith/
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt

change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.

Save & exit by pressing the following keys at the same time

ctrl o
ctrl x

Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.

rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.key/servername.domain.com.key
rm /home/e-smith/ssl.pem/servername.domain.com.pem
signal-event post-upgrade
signal-event reboot

Install the new certificate into your browser.

Also see http://wiki.contribs.org/Certificates_Concepts

Custom Certificate for SME 7.0 to less than 7.1.3

Warning.png Warning:
The following Contrib has been obseleted by the inclusion of functionality in later SME versions (see above). You are advised to upgrade to the latest SME version and use the commands shown above to configure the Common Name.


Maintainer

Dietmar Berteld
mailto:dietmar@berteld.com

This RPM is based on Nick Critten's great howto. Thanks a lot Nick for your brillant work!

Description

With this RPM-package you can simply set up a new SSL certificate on your SME7 server with a custom Common Name. When installing SME Server, you get a default certificate with the information http://www.xyzcorp.xxx/ and XYZ Corporation. With this package, the certificate information will be updated with the following information:

  • FQDN (Full Qualified Domain Name), which is SystemName.DomainName', e.g. home.myserver.com
  • City, which depends on your given info in server manager's directory section
  • Company, which depends on your given info in server manager's directory section
  • Department, which depends on your given info in server manager's directory section
  • E-Mail, which is admin@FQDN

The default length of time for this certificate is 365 days.

Download

You can download this package at smeserver-certificate . If you would like to save it directly on your SME Server, you should give this command at a linux-prompt

wget http://mirror.contribs.org/smeserver/contribs/dberteld/certificate/smeserver-certificate-1.0-1.noarch.rpm

Installation and Uninstall

For installation just enter the following command

yum localinstall smeserver-certificate-1.0-1.noarch.rpm 

For uninstall just enter the following command

yum remove smeserver-certificate

You can ignore the yum-comments signal event post-upgrade and signal-event reboot.

Use

The package installs a custom template in

/etc/e-smith/templates-custom/home/e-smith/ssl.crt 

With the Custom Template installed the cert will be rebuilt if:

  • $defaultCity
  • $defaultCompany
  • $defaultDepartment
  • $domainName

are changed.

So normally you don't have to do anything in addition.

Tips

To change the length of time before a certificate expires, change Line 2 of the ssl.crt script

use constant KEYLIFEINDAYS => 365;

Change 365 to the number of days to expire by (2Years = 730, 3Years = 1095, etc.)

use constant KEYLIFEINDAYS => 730;

You can change your desired Common Name (FQDN) in line 12. For doing this, change the default info

my $CommonName = $FQDN;

to your desired name

my $CommonName = "special.myserver.com";


After changing your infos, you have to update your certificate manually with

signal-event domain-modify
signal-event email-update 


Additional information

For additional information see this thread.