Certificate Integration GoDaddy Certificate

From SME Server
Revision as of 23:34, 13 March 2016 by Mophilly (talk | contribs) (→‎Update SME Config: correct pathname for chainfile and key file name in show modSSL)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Installing a GoDaddy SSL Certificate on SME Server

These instructions relate to renewing an installed SSL Certificate, generated by Godaddy, onto an SME server, release 7.5.1.

It should be applicable to sme 8 & sme 9.

These instructions have been placed here as a DRAFT document which needs editing, tidying up & correcting where & if necessary. This is a work in progress.

Generate the Certificate Request

Go to a shell prompt on your SME server, and get into a familiar location, such as /home/e-smith.

Generate a 2048-bit RSA Private key. 1024-bit private keys are not supported after 2011 because as processing power of computers increases so does the need for stronger keys.

In the command below, replace "yourdomain" with a file name that you understand. For example, if your domain name is "www.abcompany.com", or more correctly "abcompany.com", you might choose "abcompany-com.key" and "abcompany-com.csr" for the -keyout and -out parameter values.

Also, you need to have ready the information for your company or organization.

  • Common Name: The fully-qualified domain name, or URL, you're securing. For a wildcard certificate, prefix the common name with an asterisk (*), for example "*.abcompany.com".
  • Organization: The registered name for your business. If you purchased the certificate as an individual, enter the certificate requestor's name.
  • Organization Unit: If applicable, enter the DBA (doing business as) name.
  • City or Locality: Name of the city where your organization is registered/located. Do not abbreviate.
  • State or Province: Name of the state or province where your organization is located. Do not abbreviate.
  • Country: The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.

When you are ready, run this command:

openssl req -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

This will bring up a shell based dialog where you add details of your domain. When its done, it will create two files in the location in which you have been working. so look out for yourdomain.key and yourdomain.csr files.

If your server (like mine) has no GUI, use scp to copy these 2 files to another location, the same location you will use to access your account at godaddy.com website. Otherwise, use any filemanager to locate the 2 files, and open the yourdomain.csr file.

In your godaddy account, Click on Certificates, and your certificate(s) is presented in a list. Click on "View Status"

New Certificate

For a new certificate, a dialog box opens with an entry box to paste in the contents of yourdomain.csr file. Be sure to select GoDaddy as your Certificate Issuing Organization, before clicking on the black Re-Key button at the bottom.

A new certificate will be created for your domain. Select it using the checkbox, and click on Download. Your browser should download a zip file, same name as your domain.

Existing Certificate

A new page opens and there are button images at the top. Click on "Download" and a zip file will be downloaded to your system. In the zip are two files. You need both of these file on your server.

Configure SME

Save the zip file to the desktop, or anywhere you can easily trace it when you get back to the commandline shell. The download will include 2 files. The GoDaddy "bundle crt", e.g. gd_bundle.crt or gd_bundle-g2-g1.crt, and a new crt file for your domain. As of March 2014 the domain crt file name is a alphanumeric string.

Extract these into folder named CERT (folder name is optional, does not have to be very specific).

Copy (or move, although i prefer to keep a copy elsewhere) these 2 files to the location on the server where the yourdomain.key and yourdomain.csr files are already located. In my case:

cd /home/e-smith
scp user@machinewithgui:/home/user/Desktop/CERT/* .  

The dot at end of line is required for scp.

Optional: Use scp or putty or any client to drop a copy of the files created by the open ssl command, into the CERT folder on the machine with GUI.

This will ensure that you have 4 new files in each of the 2 locations. The 4 files should be:

yourdomain.key, yourdomain.csr, yourdomain.crt, gd_bundle.crt.

Update SME Config

Now we need to move our files into the correct folder locations.

  1. Copy the file yourdomain.crt into the folder /home/e-smith/ssl.crt/
  2. Copy the file gd_bundle.crt into the folder /home/e-smith/ssl.crt/
  3. Copy the file yourdomain.key into the folder /home/e-smith/ssl.key/

As an aside, on SME 7 you may need to copy gd_bundle.crt into /usr/share/ssl/certs/

The SME Server now needs to be told about your new certificate, and the key that was used to generate it. To do this, run these commands:

config setprop modSSL crt /home/e-smith/ssl.crt/yourdomain.crt
config setprop modSSL CertificateChainFile /home/e-smith/ssl.chainfile/gd_bundle.crt
config setprop modSSL key /home/e-smith/ssl.key/yourdomain.key

Verify that all is set correctly with the config show command.

config show modSSL;
modSSL=service
   CertificateChainFile=/home/e-smith/ssl.chainfile/gd_bundle-g2-g1.crt
   CommonName=*.abcompany.com
   TCPPort=443
   access=public
   crt=/home/e-smith/ssl.crt/27dd606e9133e8.crt
   key=/home/e-smith/ssl.key/yourdomain.key
   status=enabled


Be sure to delete the existing PEM file, as a new one will be created anyway. Run this command:

rm /home/e-smith/ssl.pem/yourdomain.pem

Finally, run this command:

signal-event post-upgrade; signal-event reboot