Certificate
Custom Certificate for SME 7.1.3 and above versions
How to change your certificate
Since SME version 7.1.3, the functionality to configure a Common Name in the certificate is included in the main SME packages and can be configured as follows:
config setprop modSSL CommonName www.domain.com expand-template /home/e-smith/ssl.key/key expand-template /home/e-smith/ssl.crt/crt signal-event domain-modify signal-event email-update
see this forum thread [1] and bug report [2]
How to set expiration time
The SME self signed certificate is valid for one year, and is automatically renewed on the anniversary of the installation date of the SME server OS. To specify how long your SME certificate will last for, do the following:
cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt
change the value for KEYLIFEINDAYS on the first line to the number of days the certificate will remain valid for eg 1826 for 5 years.
Save & exit by pressing the following keys at the same time
ctrl o ctrl x
Create a new self signed certificate, with the longer validity period. Replace the filenames below with the correct file/key names applicable to your server.
rm /home/e-smith/ssl.crt/servername.domain.com.crt rm /home/e-smith/ssl.key/servername.domain.com.key rm /home/e-smith/ssl.pem/servername.domain.com.pem signal-event post-upgrade signal-event reboot
Install the new certificate into your browser.
Also see http://wiki.contribs.org/Certificates_Concepts
Custom Certificate for SME 7.0 to less than 7.1.3
Maintainer
Dietmar Berteld
mailto:dietmar@berteld.com
This RPM is based on Nick Critten's great howto. Thanks a lot Nick for your brillant work!
Description
With this RPM-package you can simply set up a new SSL certificate on your SME7 server with a custom Common Name. When installing SME Server, you get a default certificate with the information http://www.xyzcorp.xxx/ and XYZ Corporation. With this package, the certificate information will be updated with the following information:
- FQDN (Full Qualified Domain Name), which is SystemName.DomainName', e.g. home.myserver.com
- City, which depends on your given info in server manager's directory section
- Company, which depends on your given info in server manager's directory section
- Department, which depends on your given info in server manager's directory section
- E-Mail, which is admin@FQDN
The default length of time for this certificate is 365 days.
Download
You can download this package at smeserver-certificate . If you would like to save it directly on your SME Server, you should give this command at a linux-prompt
wget http://mirror.contribs.org/smeserver/contribs/dberteld/certificate/smeserver-certificate-1.0-1.noarch.rpm
Installation and Uninstall
For installation just enter the following command
yum localinstall smeserver-certificate-1.0-1.noarch.rpm
For uninstall just enter the following command
yum remove smeserver-certificate
You can ignore the yum-comments signal event post-upgrade and signal-event reboot.
Use
The package installs a custom template in
/etc/e-smith/templates-custom/home/e-smith/ssl.crt
With the Custom Template installed the cert will be rebuilt if:
- $defaultCity
- $defaultCompany
- $defaultDepartment
- $domainName
are changed.
So normally you don't have to do anything in addition.
Tips
To change the length of time before a certificate expires, change Line 2 of the ssl.crt script
use constant KEYLIFEINDAYS => 365;
Change 365 to the number of days to expire by (2Years = 730, 3Years = 1095, etc.)
use constant KEYLIFEINDAYS => 730;
You can change your desired Common Name (FQDN) in line 12. For doing this, change the default info
my $CommonName = $FQDN;
to your desired name
my $CommonName = "special.myserver.com";
After changing your infos, you have to update your certificate manually with
signal-event domain-modify signal-event email-update
Additional information
For additional information see this thread.