Certificate Integration Thawte Certificate

From SME Server
Revision as of 23:53, 4 February 2014 by Stephdl (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

A quick cut & paste until I get time to format the layout correctly, taken from

http://forums.contribs.org/index.php/topic,47175.0.html

INSTALLING A THAWTE CERTIFICATE IN SME SERVER

(tested on V7.51 but should be applicable to sme8 & sme9)

I suggest a file manager like Winscp (http://winscp.net/eng/index.php) to make file functions easier. I also suggest putty for your terminal client.

  • Preparation
  • Start Winscp and create a session with your SME.
  • Use root and your password to log in with Winscp
  • You will see that you are now in the root directory
  • Create a new directory called cacert
  • Start a terminal session with putty and log in as root
  • Change to the cacert directory we created above
  • First you have to know the Fully Qualified Domain Name (FQDN) of the website for which you want to request a certificate. When you want to access your website through https://www.yourdomain-example.com then the FQDN of your website is www.yourdomain-example.com;

therefore, your common name will be www.yourdomain-example.com.

  • Generate the Key with the following command:
openssl genrsa -des3 -out www.yourdomain-example.com.key 2048 

This command will generate a 2048 bit RSA Private Key and stores it in the file www.yourdomain-example.com.key in the current directory which is cacert.

  • It will ask you for a pass phrase: use something secure and remember it. Your certificate will be useless without the key. If you don't want to protect your key

with a pass phrase (only if you absolutely trust that server machine, and you make sure the permissions are carefully set so only you can read that key) you can leave out the -des3 option above. Generate the CSR with the following command:

openssl req -new -key www.yourdomain-example.com.key -out www.yourdomain-example.com.csr  

This command will prompt you for the X.509 attributes of your certificate. Remember to give the name www.yourdomain-example.com when prompted for 'Common Name (eg, www.yourdomain-example.com)'. Do not enter your personal name here. We are requesting a certificate for a webserver, so the Common Name has to match the FQDN of your website (a requirement of the browsers).

  • You will now have a RSA Private Key in www.yourdomain-example.com.key and a Certificate Signing Request in www.yourdomain-example.com.csr. Both of which are in the current directory which is cacert.
  • Go back to your winscp session and refresh. You will now see the new files we have created.
  • Choose to edit the www.yourdomain-example.com.csr and do a copy of the contents to your clipboard.
  • Go to the Thawte Website and choose the type of certificate you need (a simple ssl123 is good enough for most uses)
  • Follow their instructions and when you get to the prompt for your csr information, Paste the contents of the clipboard contents from step nine
  • Continue on until finished and Thawte will e-mail your certificate file.
  • While you are on their site you will need to download a ca bundle file pack form this location
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=AR1372
  • Look for this heading, Apache, Plesk & Cpanel, and right click and save choice #1. (remember where you saved it)
  • Change the name of the above file to www.yourdomain-example.com.pem
  • Use Winscp and copy the above file to the cacert directory. Refresh the view and you should now have three files:
  • www.yourdomain-example.com.pem
  • www.yourdomain-example.com.csr
  • www.yourdomain-example.com.key.
  • After receiving you certificate file from Thawte you will use Winscp to go the cacert directory and create a new file called www.yourdomain-example.com.crt
  • Edit the file and paste the contents from the crt file you received from Thawte and save it. This should now make 4 files in the cacert directory.
  • Copy the file www.yourdomain-example.com.key to /home/e-smith/ssl.key directory on the SME server.
  • Copy the file www.yourdomain-example.com.pem to /home/e-smith/ssl.pem directory on the SME server.
  • Copy the file www.yourdomain-example.com.crt to /home/e-smith/ssl.crt directory on the SME server
  • Enter this command from the command line using putty:
config setprop modSSL crt /home/e-smith/ssl.crt/www.yourdomain-example.com.crt
  • Enter this command from the command line using putty:
config setprop modSSL key /home/e-smith/ssl.key/www.yourdomain-example.com.key
  • Enter this command from the command line using putty:
config setprop modSSL CertificateChainFile /home/e-smith/ssl.pem/www.yourdomain-example.com.pem
  • Enter this command from the command line using putty:
signal-event post-upgrade
  • Enter this command from the command line using putty:
signal-event reboot
  • This step may not be necessary but it worked for me. After rebooting log in and choose the reconfigure option and let it reboot one more time.