Line 23: |
Line 23: |
| see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689] | | see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689] |
| | | |
− | ====How to set expiration time==== | + | ====Expiration time of the self signed certificate==== |
| + | One last point to note is that the sme self signed certificate is valid for one year, and it gets automatically renewed by sme server functionality on the anniversary of the installation date of the sme server OS. |
| | | |
− | The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS.
| + | So if a user installs your self signed certificate into their browser (ie the one issued by sme), then in a year or less time, they will again receive warning messages when they access your site using https, as your original security certificate has expired. The answer is for them to install the newly created certificate into their web browser again, but by that time they have forgotten what they did a year ago, and go into panic mode again and get scared of the warnings, and end up not accessing your site at all due to fear. The result, another time wasting call to your tech support line. |
− | To specify how long your SME certificate will last for, do the following:
| |
| | | |
| + | There is a mechanism (custom-templates) to specify how long your sme certificate will last for, eg you can change the validity to say 5 years (instead of 1 yr), if you feel that security model is acceptable, and that will save users from having to reinstall the sme certificate into their browsers every year eg they will be asked again to install it in 5 years (or less) depending when they first installed it. |
| + | |
| + | See /etc/e-smith/templates/home/e-smith/ssl.crt |
| + | |
| + | Copy that fragment from the templates tree to the templates-custom tree |
| + | |
| + | Do |
| + | mkdir -p /etc/e-smith/templates-custom/home/e-smith/ |
| cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt | | cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt |
| + | |
| + | then do |
| nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt | | nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt |
| | | |
− | change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years. | + | and change the value for KEYLIFEINDAYS |
| + | on the first line to say 1826 for 5 years. |
| | | |
− | Save & exit by pressing the following keys at the same time
| + | To to save & exit press the following keys at the same time |
− | ctrl o
| |
| ctrl x | | ctrl x |
| | | |
− | Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.
| + | Then you need to force sme server to immediately create a new self signed certificate (with the longer validity period) by issuing the following commands. Note to replace the filenames with the correct file/key names applicable to your server. |
| rm /home/e-smith/ssl.crt/servername.domain.com.crt | | rm /home/e-smith/ssl.crt/servername.domain.com.crt |
| rm /home/e-smith/ssl.key/servername.domain.com.key | | rm /home/e-smith/ssl.key/servername.domain.com.key |
Line 44: |
Line 54: |
| signal-event reboot | | signal-event reboot |
| | | |
− | Install the new certificate into your browser.
| + | or to more thoroughly remove all old & unwanted files do the following (make a backup of files in these folders first, if you have commercial certificates). You should answer y to accept each file removal one at a time. |
| + | |
| + | rm /home/e-smith/ssl.crt/* |
| + | rm /home/e-smith/ssl.key/* |
| + | rm /home/e-smith/ssl.pem/* |
| + | signal-event post-upgrade |
| + | signal-event reboot |
| | | |
− | Also see http://wiki.contribs.org/Certificates_Concepts
| + | Then add the new 5 year certificate to your browser, and no more questions from your browser until five years time when the certificate validity expires. |
| | | |
| ===Commercial certificates=== | | ===Commercial certificates=== |