Difference between revisions of "Custom CA Certificate"

From SME Server
Jump to navigationJump to search
m (moved Certificates Custom CA to Custom CA Certificate over redirect: Revert, please do not change titles for sorting purposes. Please have a look at http://www.mediawiki.org/wiki/Help:Categories on sortkeys.)
m (Add Ctegory security and note)
 
(13 intermediate revisions by 5 users not shown)
Line 1: Line 1:
Extracted from: http://forums.contribs.org/index.php?topic=34624.0
+
{{usefulnote}}
 +
== Introduction ==
 +
From [http://en.wikipedia.org/wiki/CAcert.org wikipedia]
  
Author: slords
 
  
 +
<nowiki>
 +
CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). CAcert has over 200,000 verified users and has issued nearly 800,000 certificates as of January 2012. These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.
 +
</nowiki>
 +
 +
== Prerequisites ==
 +
* An account on cacert.org
 +
** Your domain(s) registered on your CAcert.org account
 +
 +
 +
== creating .csr and .key files ==
 
As root do the following:
 
As root do the following:
  
Line 8: Line 19:
 
  cd ~/cacert  
 
  cd ~/cacert  
  
Make a file named <b>cacert_csr_request</b>
+
* Create a file named cacert_csr_request
 +
 
 +
nano -w cacert_csr_request
  
 
  #!/usr/bin/perl
 
  #!/usr/bin/perl
Line 16: Line 29:
 
  use esmith::ConfigDB;
 
  use esmith::ConfigDB;
 
  use esmith::DomainsDB;
 
  use esmith::DomainsDB;
 +
 +
# variable to edit
 +
my $keycrypt = 2048;
 +
my $KEYLIFEINDAYS = 730;
 +
my $COUNTRYCODE = "US";  ## <===================== change to your country code !
 +
# end of modifications
 
   
 
   
 
  my $config  = esmith::ConfigDB->open;
 
  my $config  = esmith::ConfigDB->open;
Line 27: Line 46:
 
  open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
 
  open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
 
  print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
 
  print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
  print CONFIG "[ req ]\ndefault_bits = 1024\ndistinguished_name = req_distinguished_name\n";
+
  print CONFIG "[ req ]\ndefault_bits = $keycrypt\ndistinguished_name = req_distinguished_name\n";
 +
# if you need a SHA1 csr, uncomment the following row
 +
#print CONFIG "default_md  = sha1\n";
 
  print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
 
  print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
  print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n\n";
+
  print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n";
 +
print CONFIG "countryName = $COUNTRYCODE\n";
 
  print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
 
  print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
 
  print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
 
  print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
 
  print CONFIG "\n";
 
  print CONFIG "\n";
 
  close(CONFIG) or die "Closing openssl config file reported: $!";
 
  close(CONFIG) or die "Closing openssl config file reported: $!";
 +
 
   
 
   
 
  unless ( -f "$domains[0].key" )
 
  unless ( -f "$domains[0].key" )
Line 54: Line 77:
 
                 /proc/uptime
 
                 /proc/uptime
 
                 )),
 
                 )),
             '1024')
+
             $keycrypt)
 
             || die "can't exec program: $!";
 
             || die "can't exec program: $!";
 
     }
 
     }
Line 71: Line 94:
 
         qw(req -config), "$domains[0].config",
 
         qw(req -config), "$domains[0].config",
 
         qw(-new -key), "$domains[0].key",
 
         qw(-new -key), "$domains[0].key",
         qw(-days 730 -set_serial), time())
+
         qw(-days $KEYLIFEINDAYS -set_serial), time())
 
         || die "can't exec program: $!";
 
         || die "can't exec program: $!";
 
  }
 
  }
Line 81: Line 104:
 
  close(CSR) or die "Closing csr file reported: $!";
 
  close(CSR) or die "Closing csr file reported: $!";
  
 +
 +
* modify the 3 variables in the script according to your needs
 +
# variable to edit
 +
my $keycrypt = 2048; #<= must be a 1024 multiple; some CA authorities ask for at least 2048
 +
my $KEYLIFEINDAYS = 730; # <= validity of the Certificate in days must be greater (or at least equal)than the validity of the one you are buying
 +
my $COUNTRYCODE = "US";  ## <===================== change to your country code !
 +
# end of modifications
  
 
*Change permissions
 
*Change permissions
Line 90: Line 120:
 
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
 
From here replace the <b>{domain}</b> tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.
  
*Paste the output into the cacert.org website and get your certificate
+
===footnotes===
 +
 
 +
This script is helpful but incomplete. Some configurations info are missing in order to obtain a cert from some CA Authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the information needed are missing in the smeserver database like countrycode you have to insert them in the code for the moment...
 +
 
 +
== obtain .crt file from cacert==
 +
*Log into you account on the cacert.org and Add your FQDN under domains
 +
*and paste the output of the belowcommand under new server certificate
 
  cat {domain}.csr
 
  cat {domain}.csr
  
 +
== configuring your sme with your new certificate==
 
Then save your CA certificate in a file named ~/cacert/{domain}.crt
 
Then save your CA certificate in a file named ~/cacert/{domain}.crt
  
Line 98: Line 135:
 
  cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt  
 
  cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt  
 
  cp {domain}.key /home/e-smith/ssl.key/{domain}.key
 
  cp {domain}.key /home/e-smith/ssl.key/{domain}.key
 +
 +
you might have to add an Intermediate certificate from the SSL authority
 +
cp {CA}.crt /home/e-smith/ssl.crt/{CA}.crt
  
 
*Configure SME database
 
*Configure SME database
 
  config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
 
  config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
 
  config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
 
  config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
 +
 +
If you have to add an Intermediate certificate from the SSL authority
 +
config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/{CA}.crt
  
 
*and apply the changes
 
*and apply the changes
  signal-event console-save
+
  signal-event post-upgrade
  reboot
+
  signal-event reboot
 +
 
 +
or if you do not want to reboot your server:
 +
signal-event domain-modify
 +
signal-event email-update
  
 
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
 
Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.
 +
 +
== References ==
 +
* Extracted from: http://forums.contribs.org/index.php?topic=34624.0 (slords)
 +
* http://bugs.contribs.org/show_bug.cgi?id=1370 (unnilennium)
  
 
----
 
----
 
[[Category:Howto]]
 
[[Category:Howto]]
 +
[[Category:Administration:Certificates]]
 +
[[Category:Security]]

Latest revision as of 05:46, 19 October 2014

Is this article helpful to you?
Please consider donating or volunteering
Thank you!

Introduction

From wikipedia


CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). CAcert has over 200,000 verified users and has issued nearly 800,000 certificates as of January 2012. These certificates can be used to digitally sign and encrypt email, authenticate and authorize users connecting to websites and secure data transmission over the Internet. Any application that supports the Secure Socket Layer (SSL) can make use of certificates signed by CAcert, as can any application that uses X.509 certificates, e.g. for encryption or code signing and document signatures.

Prerequisites

  • An account on cacert.org
    • Your domain(s) registered on your CAcert.org account


creating .csr and .key files

As root do the following:

mkdir ~/cacert
cd ~/cacert 
  • Create a file named cacert_csr_request
nano -w cacert_csr_request
#!/usr/bin/perl

use strict;
use esmith::util;
use esmith::ConfigDB;
use esmith::DomainsDB;

# variable to edit
my $keycrypt = 2048;
my $KEYLIFEINDAYS = 730;
my $COUNTRYCODE = "US";  ## <===================== change to your country code !
# end of modifications

my $config   = esmith::ConfigDB->open;
my $domainsdb = esmith::DomainsDB->open_ro;

my $domain = $config->get('DomainName')->value;
my %domain_names = map { $_->{key} => 1 } grep { $_->key ne $domain } $domainsdb->domains;

my @domains = ($domain, keys %domain_names);

open(CONFIG, ">$domains[0].config") or die "Can't open openssl config file: $!";
print CONFIG "HOME = .\nRANDFILE = \$ENV::HOME/.rnd\n\n";
print CONFIG "[ req ]\ndefault_bits = $keycrypt\ndistinguished_name = req_distinguished_name\n";
# if you need a SHA1 csr, uncomment the following row
#print CONFIG "default_md  = sha1\n";
print CONFIG "req_extensions = v3_req\nprompt = no\n\n";
print CONFIG "[ req_distinguished_name ]\nCN = $domains[0]\n";
print CONFIG "countryName = $COUNTRYCODE\n";
print CONFIG "[ v3_req ]\nbasicConstraints = CA:FALSE\nkeyUsage = nonRepudiation,digitalSignature,keyEncipherment\n";
print CONFIG "subjectAltName = critical,", join ",", map { "DNS:$_,DNS:*.$_" } @domains;
print CONFIG "\n";
close(CONFIG) or die "Closing openssl config file reported: $!";


unless ( -f "$domains[0].key" )
{
    open(KEY, ">$domains[0].key") or die "Can't open key file: $!";
    unless (open(SSL,"-|"))
    {
        exec("/usr/bin/openssl",
            qw(genrsa -rand),
            join(':',
            qw(
                /proc/apm
                /proc/cpuinfo
                /proc/dma
                /proc/filesystems
                /proc/interrupts
                /proc/ioports
                /proc/bus/pci/devices
                /proc/rtc
                /proc/uptime
                )),
            $keycrypt)
            || die "can't exec program: $!";
    }
    while (<SSL>)
    {
        print KEY $_;
    }
    close(SSL) or die "Closing openssl pipe reported: $!";
    close(KEY) or die "Closing key file reported: $!";
}

open(CSR, ">$domains[0].csr") or die "Can't open csr $!";
unless (open(SSL,"-|"))
{
    exec("/usr/bin/openssl",
        qw(req -config), "$domains[0].config",
        qw(-new -key), "$domains[0].key",
        qw(-days $KEYLIFEINDAYS -set_serial), time())
        || die "can't exec program: $!";
}
while (<SSL>)
{
    print CSR $_;
}
close(SSL) or die "Closing openssl pipe reported: $!";
close(CSR) or die "Closing csr file reported: $!";


  • modify the 3 variables in the script according to your needs
# variable to edit
my $keycrypt = 2048; #<= must be a 1024 multiple; some CA authorities ask for at least 2048
my $KEYLIFEINDAYS = 730; # <= validity of the Certificate in days must be greater (or at least equal)than the validity of the one you are buying
my $COUNTRYCODE = "US";  ## <===================== change to your country code !
# end of modifications
  • Change permissions
chmod u+x cacert_csr_request
  • Execute the file
./cacert_csr_request

From here replace the {domain} tag with your Primary domain name. Also you will need to have all domains registered with your cacert.org account. This will create a certificate that includes all domains that exists on your sme box as both simple domain.com and wildcard *.domain.com.

footnotes

This script is helpful but incomplete. Some configurations info are missing in order to obtain a cert from some CA Authorities (http://www.flatmtn.com/article/setting-openssl-create-certificates) .Some of the information needed are missing in the smeserver database like countrycode you have to insert them in the code for the moment...

obtain .crt file from cacert

  • Log into you account on the cacert.org and Add your FQDN under domains
  • and paste the output of the belowcommand under new server certificate
cat {domain}.csr

configuring your sme with your new certificate

Then save your CA certificate in a file named ~/cacert/{domain}.crt

  • Copy to final location
cp {domain}.crt /home/e-smith/ssl.crt/{domain}.crt 
cp {domain}.key /home/e-smith/ssl.key/{domain}.key

you might have to add an Intermediate certificate from the SSL authority

cp {CA}.crt /home/e-smith/ssl.crt/{CA}.crt
  • Configure SME database
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key

If you have to add an Intermediate certificate from the SSL authority

config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/{CA}.crt
  • and apply the changes
signal-event post-upgrade
signal-event reboot

or if you do not want to reboot your server:

signal-event domain-modify
signal-event email-update

Once you have created/installed this certificate then if the client has the cacert.org root certificate installed then they should be able to go to any domain on your box and not get a warning.

References