Difference between revisions of "Certificate ssl management"

From SME Server
Jump to navigationJump to search
 
(15 intermediate revisions by 4 users not shown)
Line 5: Line 5:
 
=== Maintainer ===
 
=== Maintainer ===
 
[mailto:stephdl@de-labrusse.fr stephdl] Stéphane de Labrusse AKA [[User:stephdl|Stephdl]]<br />
 
[mailto:stephdl@de-labrusse.fr stephdl] Stéphane de Labrusse AKA [[User:stephdl|Stephdl]]<br />
 +
 +
 +
=== Version ===
 +
{{ #smeversion: smeserver-certificate}}
  
 
=== Description ===
 
=== Description ===
This contribution for smeserver adds a paner in the server-manager in order to save the certificate, the secret key and eventually the intermediate certificate if needed without the use of the command line interface.
+
This contribution for smeserver adds a panel in the server-manager in order to save the certificate, the secret key and eventually the intermediate certificate if needed without the use of the command line interface.
  
 
see that [[Certificates_Concepts|wiki page]] for more informations on how to set it manually
 
see that [[Certificates_Concepts|wiki page]] for more informations on how to set it manually
Line 27: Line 31:
  
 
You will need to answer to many questions, think about it before you type.
 
You will need to answer to many questions, think about it before you type.
 
=== Requirements ===
 
You need to enable the [[stephdl]] repository
 
  
 
=== Installation ===
 
=== Installation ===
 +
* for sme10
 +
yum install smeserver-certificate --enablerepo=smecontribs
  
Remember to first configure the required [[stephdl]] repository, then issue the following command on the SME Server shell:
+
[[File:Certificate-management.png|x300px]]
  
yum install smeserver-certificate --enablerepo=stephdl
+
Go to the manage ssl certificate panel on Server Manager and past and save your full server.crt and full server.key (included '''-----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----''' and '''-----BEGIN RSA PRIVATE KEY-----/-----END RSA PRIVATE KEY-----''').
  
The 'official' way is to perform
+
There is also the possibility of needing a custom certificate from an [http://en.wikipedia.org/wiki/Intermediate_certificate_authorities Intermediate Certificate Authority]. If this is the case you'll get an additional CA certificate and you need to past into the box called 'SSL intermediate chain certificate'
  
signal-event post-upgrade;  signal-event reboot
+
'''Remember'''
  
but if you don't want to reboot your server, do  
+
* Each time you press Save, the web server is restarted so you may need to load again the page (F5 or ctrl+F5) and look about the SSL certificate displayed by your browser
 +
* If you want to get back to the default SME Server certificates, simply blank all the contents and press save.
 +
* If you set wrong certificates, the server Web may crash. You will have to do a command line in a root Terminal to get back to the default certificate :
  
  signal-event console-save
+
  signal-event certificate-revert
  
Go to the manage ssl certificate panel on Server Manager and past your full server.crt and full server.key (included '''-----BEGIN CERTIFICATE-----/-----END CERTIFICATE-----''' and '''-----BEGIN RSA PRIVATE KEY-----/-----END RSA PRIVATE KEY-----''').
+
The bad certificates are not removed, but simply not used, then you can go back to the panel and see what is occurring with wrong certificates.
  
There is also the possibility one is getting a custom certificate from an [http://en.wikipedia.org/wiki/Intermediate_certificate_authorities Intermediate Certificate Authority]. If this is the case you'll get an additional CA certificate and you need to past into the box called 'SSL intermediate chain certificate'
+
=== Testing ===
  
* If you want to get back to the default SME Server certificates, simply blank all the contents and press save.
+
Here is a website you can use to test your certificates/server:
* If you set wrong certificates, the server Web may crash. You will have to do a command line in a root Terminal to get back to the default certificate :
 
  
signal-event certificate-revert
+
https://www.ssllabs.com/ssltest
  
 
=== Uninstall ===
 
=== Uninstall ===
Line 58: Line 62:
  
 
=== Bugs ===
 
=== Bugs ===
For now there is no entry on bugzilla, please direct your issue to [mailto:stephdl@de-labrusse.fr stephdl] Stéphane de Labrusse AKA [[User:stephdl|Stephdl]]<br />
+
Please raise bugs under the SME-Contribs section in {{BugzillaFileBug|product=|component=|title=bugzilla}}and select the smeserver-certificate component or use {{BugzillaFileBug|product=SME%20Contribs|component=smeserver-certificate|title=this link}}.
 +
{{#bugzilla:columns=id,product,version,status,summary |sort=id |order=desc |component=smeserver-certificate |noresultsmessage="No open bugs found."}}
 +
 
 +
 
 +
===Changelog===
 +
Only released version in smecontrib are listed here.
 +
 
 +
{{ #smechangelog: smeserver-certificate}}
 +
 
  
 
[[Category: Contrib]]
 
[[Category: Contrib]]
 +
[[Category:Administration:Certificates]]

Latest revision as of 07:36, 3 March 2022


Smeserver-certificate for SME Server 8 and 9

This contrib is made to help the managing of SSL certificates if you need to use commercial Certificates by example.

Maintainer

stephdl Stéphane de Labrusse AKA Stephdl


Version

Contrib 10:
Contrib 9:
smeserver-certificate
The latest version of smeserver-certificate is available in the SME repository, click on the version number(s) for more information.


Description

This contribution for smeserver adds a panel in the server-manager in order to save the certificate, the secret key and eventually the intermediate certificate if needed without the use of the command line interface.

see that wiki page for more informations on how to set it manually

On SME Server by default, all services that require an SSL certificate using the same self-signed and re-generate every year (valid for one year). It is often useful to replace it with another certificate. This contrib give easier the procedure, which is valid both for an official certificate (purchased from Verisign or equivalent), an independent authority as CAcert, or private authority (eg, managed by PHPki).

The first step is of course to obtain a certificate. If it signed by a private CA, you should generate it with a wildcard (ie which will be valid for all subdomains of the main domain). It should be given by a *.domain.tld as the common name.. Then we need to get this certificate and the associated private key in a PEM format.

If you want to buy a commercial ssl certificate, you may need to do a 'csr' (certificate request), this is how to do that. Here an example with Gandi


  • Generating an RSA key:
openssl genrsa -out mondomaine.com-key.pem 2048
  • Generate the CSR
openssl req -new -key mondomaine.com-key.pem -out mondomaine.com.csr

You will need to answer to many questions, think about it before you type.

Installation

  • for sme10
yum install smeserver-certificate --enablerepo=smecontribs

Certificate-management.png

Go to the manage ssl certificate panel on Server Manager and past and save your full server.crt and full server.key (included -----BEGIN CERTIFICATE-----/-----END CERTIFICATE----- and -----BEGIN RSA PRIVATE KEY-----/-----END RSA PRIVATE KEY-----).

There is also the possibility of needing a custom certificate from an Intermediate Certificate Authority. If this is the case you'll get an additional CA certificate and you need to past into the box called 'SSL intermediate chain certificate'

Remember

  • Each time you press Save, the web server is restarted so you may need to load again the page (F5 or ctrl+F5) and look about the SSL certificate displayed by your browser
  • If you want to get back to the default SME Server certificates, simply blank all the contents and press save.
  • If you set wrong certificates, the server Web may crash. You will have to do a command line in a root Terminal to get back to the default certificate :
signal-event certificate-revert

The bad certificates are not removed, but simply not used, then you can go back to the panel and see what is occurring with wrong certificates.

Testing

Here is a website you can use to test your certificates/server:

https://www.ssllabs.com/ssltest

Uninstall

yum remove smeserver-certificate; signal-event console-save

Bugs

Please raise bugs under the SME-Contribs section in bugzilla and select the smeserver-certificate component or use this link .

"No open bugs found."


Changelog

Only released version in smecontrib are listed here.

smeserver-certificate Changelog: SME 10 (smecontribs)
2024/09/04 Terry Fage 0.0.4-15.sme
- apply locale 2024-09-04.patch
2024/03/01 Brian Read 0.0.4-14.sme
- Edit SM2 Menu entry to conform to new arrangements [SME: 12493]
2022/11/11 Jean-Philippe Pialasse 0.0.4-13.sme
- apply locale 2022-11-11 patch
2022/07/22 Jean-Philippe Pialasse 0.0.4-12.sme
- translation 2022-07-22 patch
2022/05/26 Brian Read 0.0.4-11.sme
- fix routes [SME: 11926]