5,576
edits
Changes
From SME Server
Jump to navigationJump to search→How to set expiration time
see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689]
see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689]
====How to set expiration time====
====Expiration time of the self signed certificate====
One last point to note is that the sme self signed certificate is valid for one year, and it gets automatically renewed by sme server functionality on the anniversary of the installation date of the sme server OS.
So if a user installs your self signed certificate into their browser (ie the one issued by sme), then in a year or less time, they will again receive warning messages when they access your site using https, as your original security certificate has expired. The answer is for them to install the newly created certificate into their web browser again, but by that time they have forgotten what they did a year ago, and go into panic mode again and get scared of the warnings, and end up not accessing your site at all due to fear. The result, another time wasting call to your tech support line.
There is a mechanism (custom-templates) to specify how long your sme certificate will last for, eg you can change the validity to say 5 years (instead of 1 yr), if you feel that security model is acceptable, and that will save users from having to reinstall the sme certificate into their browsers every year eg they will be asked again to install it in 5 years (or less) depending when they first installed it.
See /etc/e-smith/templates/home/e-smith/ssl.crt
Copy that fragment from the templates tree to the templates-custom tree
Do
mkdir -p /etc/e-smith/templates-custom/home/e-smith/
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
then do
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt
change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.
and change the value for KEYLIFEINDAYS
on the first line to say 1826 for 5 years.
To to save & exit press the following keys at the same time
ctrl x
ctrl x
Then you need to force sme server to immediately create a new self signed certificate (with the longer validity period) by issuing the following commands. Note to replace the filenames with the correct file/key names applicable to your server.
rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.key/servername.domain.com.key
rm /home/e-smith/ssl.key/servername.domain.com.key
signal-event reboot
signal-event reboot
or to more thoroughly remove all old & unwanted files do the following (make a backup of files in these folders first, if you have commercial certificates). You should answer y to accept each file removal one at a time.
rm /home/e-smith/ssl.crt/*
rm /home/e-smith/ssl.key/*
rm /home/e-smith/ssl.pem/*
signal-event post-upgrade
signal-event reboot
Then add the new 5 year certificate to your browser, and no more questions from your browser until five years time when the certificate validity expires.
===Commercial certificates===
===Commercial certificates===
