Certificates signed by own CA
This document describes how to create an own CA and make certifcates for all your servers signed by the own CA. Users can install the root certificate in the browsers or on mobile devices and then SSL access to all servers in your domain without getting certificate errors. The main purpose is the use in intranet web applications and enabling automatic push synchronization on mobile devices.
Download and unpack the scripts
cd /root wget http://mirror.contribs.org/smeserver/contribs/michaelw/sme7/Certificates/ca_certs-0.0.1.tar.gz tar xzf ca_certs-0.0.1.tar.gz cd /root/ca_certs
Now open the openssl.cnf file in your editor and adjust the values of the following variables. Do not modfiy anything else.
0.organizationName_default = My Company organizationalUnitName_default = IT Department localityName_default = My City stateOrProvinceName_default = My State countryName_default = DE commonName_default = My Company Root CA emailAddress_default = email@example.com
Generating the Root Certificate
Make the root certificate by running this script. Choose any name you like for COMPANY_NAME, e.g. your company name
You are asked to enter a pass phrase. Choose a strong one and memorize it. In the following you are asked to enter information. Just accept the defaults by hitting the enter key. The files private/COMPANY_NAME_ca_priv_key.pem and COMPANY_NAME_ca_cert.crt were created. Keep the private/COMPANY_NAME_ca_priv_key.pem safe and do never publish it! Note: The root certificate has a lifetime of 25 years set by the -days option inside the script.
Generating the Certificate Requests
Repeat the following for all your servers in your domain.
Make a certificate request for a host by running this script and pass the long hostname (FQHN) as the argument, e.g. sme7.mydomain.com
You are asked to enter information. Just accept the defaults by hitting enter. The private key file FQHN.key and and the certificate request files FQHN.csr were created. Keep the private key safe!
Generating the Certificates
Repeat the following for all your servers in your domain. Replace FQHN and COMPANY_NAME by the values you have used in the steps above.
./make_cert.sh FQHN COMPANY_NAME
You are asked to enter the root key pass phrase. The new certificate FQHN.crt has been created and is ready for installation. Note: The root certificate has a lifetime of 10 years set by the -days option inside the script.
Installing the new Certificates on SME Servers
Copy the key and certificate pairs FQHN.key and FQHN.crt to the appropriate SME Servers to /home/e-smith/ssl.crt/FQHN.crt and /home/e-smith/ssl.key/FQHN.key. Then install the new certificate on every SME Server by running
config setprop modSSL crt /home/e-smith/ssl.crt/FQHN.crt config setprop modSSL key /home/e-smith/ssl.key/FQHN.key signal-event console-save
Installing the new Certificates on other Servers
Consult the server documentation on how to install a new certificate.
Making the Root Certificate available for Download
Copy the root certificates COMPANY_NAME_ca_cert.crt (PEM format) and COMPANY_NAME_ca_cert_der.crt (binary format) to /home/e-smith/files/ibays/Primary/html/ so that your users can download and install them in their browser or on their mobile device. Mobile devices may require the certificate in the binary DER format, browsers usually accept both formats.