Difference between revisions of "Certificate"

From SME Server
Jump to navigationJump to search
m (added mkdir command)
 
(19 intermediate revisions by 10 users not shown)
Line 1: Line 1:
 
{{Languages}}
 
{{Languages}}
{{Overview}}
+
=Custom Certificate for SME 7.1.3 and above versions=
__NOTOC__
+
{{Tip box| The Certificate concept on SME Server is a large topic that you can learn in this dedicated [[Certificates_Concepts|wiki page]]}}
=Custom Certificate for SME 7.x=
+
 
 +
===How to change your certificate===
 +
 
 +
Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:
 +
 
 +
config setprop modSSL CommonName www.domain.com
 +
expand-template /home/e-smith/ssl.key/key
 +
expand-template /home/e-smith/ssl.crt/crt
 +
signal-event domain-modify
 +
signal-event email-update
 +
 
 +
see this forum thread [http://forums.contribs.org/index.php?topic=33109.15] and bug report [http://bugs.contribs.org/show_bug.cgi?id=1689]
 +
 
 +
==How to set expiration time==
 +
 
 +
The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS.
 +
To specify how long your SME certificate will last for, do the following:
 +
 
 +
mkdir -p /etc/e-smith/templates-custom/home/e-smith/
 +
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
 +
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt
 +
 
 +
change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.
 +
 
 +
Save & exit by pressing the following keys at the same time
 +
ctrl o
 +
ctrl x
 +
 
 +
Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.
 +
rm /home/e-smith/ssl.crt/servername.domain.com.crt
 +
rm /home/e-smith/ssl.key/servername.domain.com.key
 +
rm /home/e-smith/ssl.pem/servername.domain.com.pem
 +
signal-event post-upgrade
 +
signal-event reboot
 +
 
 +
Install the new certificate into your browser.
 +
 
 +
Also see http://wiki.contribs.org/Certificates_Concepts
 +
 
 +
=Custom Certificate for SME 7.0 to less than 7.1.3=
 +
 
 +
{{Warning box|The following Contrib has been obseleted by the inclusion of functionality in later SME versions (see above). You are advised to upgrade to the latest SME version and use the commands shown above to configure the Common Name.}}
  
 
==Maintainer==
 
==Maintainer==
Line 8: Line 49:
 
mailto:dietmar@berteld.com
 
mailto:dietmar@berteld.com
  
This RPM is based on [http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl7.htm Nick Critton's] great howto. Thanks a lot Nick for your brillant work!
+
This RPM is based on [http://mirror.contribs.org/smeserver/contribs/nickcritten/howtos/ssl.htm Nick Critten's] great howto. Thanks a lot Nick for your brillant work!
  
 
==Description==
 
==Description==
 
With this RPM-package you can simply set up a new SSL certificate on your SME7 server with a custom Common Name.
 
With this RPM-package you can simply set up a new SSL certificate on your SME7 server with a custom Common Name.
When installing SME Server, you get a default certificate with the information ''http://www.xyzcorp.xxx/'' and ''XYZ Corporation''. With this package, the certificate information will be updated with the following informations:
+
When installing SME Server, you get a default certificate with the information ''http://www.xyzcorp.xxx/'' and ''XYZ Corporation''. With this package, the certificate information will be updated with the following information:
 
* FQDN (Full Qualified Domain Name), which is ''SystemName.DomainName', e.g. ''home.myserver.com''
 
* FQDN (Full Qualified Domain Name), which is ''SystemName.DomainName', e.g. ''home.myserver.com''
 
* City, which depends on your given info in server manager's directory section
 
* City, which depends on your given info in server manager's directory section
Line 19: Line 60:
 
* E-Mail, which is ''admin@FQDN''
 
* E-Mail, which is ''admin@FQDN''
 
The default length of time for this certificate is 365 days.
 
The default length of time for this certificate is 365 days.
 
  
 
==Download==
 
==Download==
You can download this package at ''[http://sudemo.info/sme/sme7/config/smeserver-certificate-1.0-1.noarch.rpm  smeserver-certificate]'' . If you would like to save it directly on your SME Server, you should give this command at a linux-prompt
+
You can download this package at ''[http://mirror.contribs.org/smeserver/contribs/dberteld/certificate/smeserver-certificate-1.0-1.noarch.rpm  smeserver-certificate]'' . If you would like to save it directly on your SME Server, you should give this command at a linux-prompt
  wget http://sudemo.info/sme/sme7/config/smeserver-certificate-1.0-1.noarch.rpm  
+
  wget http://mirror.contribs.org/smeserver/contribs/dberteld/certificate/smeserver-certificate-1.0-1.noarch.rpm
  
 
==Installation and Uninstall==
 
==Installation and Uninstall==
For installation just hit the following command
+
For installation just enter the following command
 
  yum localinstall smeserver-certificate-1.0-1.noarch.rpm  
 
  yum localinstall smeserver-certificate-1.0-1.noarch.rpm  
For uninstall just hit the following command
+
For uninstall just enter the following command
 
  yum remove smeserver-certificate
 
  yum remove smeserver-certificate
 
You can ignore the yum-comments ''signal event post-upgrade'' and ''signal-event reboot''.
 
You can ignore the yum-comments ''signal event post-upgrade'' and ''signal-event reboot''.
Line 43: Line 83:
 
are changed.  
 
are changed.  
  
So normally you don't have to do nothing in addition.
+
So normally you don't have to do anything in addition.
  
 
==Tips==
 
==Tips==
Line 57: Line 97:
 
  my $CommonName = $FQDN;
 
  my $CommonName = $FQDN;
 
to your desired name
 
to your desired name
  my $CommonName = special.myserver.com;
+
  my $CommonName = "special.myserver.com";
  
  
Line 67: Line 107:
 
== Additional information ==
 
== Additional information ==
 
For additional information see [http://forums.contribs.org/index.php?topic=33109.0 this thread].
 
For additional information see [http://forums.contribs.org/index.php?topic=33109.0 this thread].
 
 
Have much fun with your own certificate !
 
 
''Dietmar Berteld (berdie)''
 
  
  
 
----
 
----
[[Category: Contrib]]
+
[[Category: Howto]]
[[Category: Systemtools]]
+
[[Category:Administration:Certificates]]

Latest revision as of 05:54, 19 September 2015


Custom Certificate for SME 7.1.3 and above versions

Information.png Tip:
The Certificate concept on SME Server is a large topic that you can learn in this dedicated wiki page


How to change your certificate

Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:

config setprop modSSL CommonName www.domain.com
expand-template /home/e-smith/ssl.key/key
expand-template /home/e-smith/ssl.crt/crt
signal-event domain-modify
signal-event email-update 

see this forum thread [1] and bug report [2]

How to set expiration time

The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS. To specify how long your SME certificate will last for, do the following:

mkdir -p /etc/e-smith/templates-custom/home/e-smith/
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt

change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.

Save & exit by pressing the following keys at the same time

ctrl o
ctrl x

Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.

rm /home/e-smith/ssl.crt/servername.domain.com.crt
rm /home/e-smith/ssl.key/servername.domain.com.key
rm /home/e-smith/ssl.pem/servername.domain.com.pem
signal-event post-upgrade
signal-event reboot

Install the new certificate into your browser.

Also see http://wiki.contribs.org/Certificates_Concepts

Custom Certificate for SME 7.0 to less than 7.1.3

Warning.png Warning:
The following Contrib has been obseleted by the inclusion of functionality in later SME versions (see above). You are advised to upgrade to the latest SME version and use the commands shown above to configure the Common Name.


Maintainer

Dietmar Berteld
mailto:dietmar@berteld.com

This RPM is based on Nick Critten's great howto. Thanks a lot Nick for your brillant work!

Description

With this RPM-package you can simply set up a new SSL certificate on your SME7 server with a custom Common Name. When installing SME Server, you get a default certificate with the information http://www.xyzcorp.xxx/ and XYZ Corporation. With this package, the certificate information will be updated with the following information:

  • FQDN (Full Qualified Domain Name), which is SystemName.DomainName', e.g. home.myserver.com
  • City, which depends on your given info in server manager's directory section
  • Company, which depends on your given info in server manager's directory section
  • Department, which depends on your given info in server manager's directory section
  • E-Mail, which is admin@FQDN

The default length of time for this certificate is 365 days.

Download

You can download this package at smeserver-certificate . If you would like to save it directly on your SME Server, you should give this command at a linux-prompt

wget http://mirror.contribs.org/smeserver/contribs/dberteld/certificate/smeserver-certificate-1.0-1.noarch.rpm

Installation and Uninstall

For installation just enter the following command

yum localinstall smeserver-certificate-1.0-1.noarch.rpm 

For uninstall just enter the following command

yum remove smeserver-certificate

You can ignore the yum-comments signal event post-upgrade and signal-event reboot.

Use

The package installs a custom template in

/etc/e-smith/templates-custom/home/e-smith/ssl.crt 

With the Custom Template installed the cert will be rebuilt if:

  • $defaultCity
  • $defaultCompany
  • $defaultDepartment
  • $domainName

are changed.

So normally you don't have to do anything in addition.

Tips

To change the length of time before a certificate expires, change Line 2 of the ssl.crt script

use constant KEYLIFEINDAYS => 365;

Change 365 to the number of days to expire by (2Years = 730, 3Years = 1095, etc.)

use constant KEYLIFEINDAYS => 730;

You can change your desired Common Name (FQDN) in line 12. For doing this, change the default info

my $CommonName = $FQDN;

to your desired name

my $CommonName = "special.myserver.com";


After changing your infos, you have to update your certificate manually with

signal-event domain-modify
signal-event email-update 


Additional information

For additional information see this thread.