| Line 111: |
Line 111: |
| | | | |
| | You will still have renewal issues with CACert certificates for example, as they are only valid for 6 months, unless you join the special recognition program and show proof of identity to a authorised human being in your area, when they are then valid for 2 years. Ultimately at some time in the future, you will need to renew the CACert certificate, and install that new certificate onto sme server. Then when a user's web browser accesses https for the first time, it will object to the authenticity of the new certificate, thus needing to be reinstalled again, or install the CACert root certificate again. You can't win actually as users will always be chasing their own tail reinstalling certificates, albeit infrequently ! | | You will still have renewal issues with CACert certificates for example, as they are only valid for 6 months, unless you join the special recognition program and show proof of identity to a authorised human being in your area, when they are then valid for 2 years. Ultimately at some time in the future, you will need to renew the CACert certificate, and install that new certificate onto sme server. Then when a user's web browser accesses https for the first time, it will object to the authenticity of the new certificate, thus needing to be reinstalled again, or install the CACert root certificate again. You can't win actually as users will always be chasing their own tail reinstalling certificates, albeit infrequently ! |
| − |
| |
| − | ===Expiration time of the self signed certificate===
| |
| − | One last point to note is that the sme self signed certificate is valid for one year, and it gets automatically renewed by sme server functionality on the anniversary of the installation date of the sme server OS.
| |
| − |
| |
| − | So if a user installs your self signed certificate into their browser (ie the one issued by sme), then in a year or less time, they will again receive warning messages when they access your site using https, as your original security certificate has expired. The answer is for them to install the newly created certificate into their web browser again, but by that time they have forgotten what they did a year ago, and go into panic mode again and get scared of the warnings, and end up not accessing your site at all due to fear. The result, another time wasting call to your tech support line.
| |
| − |
| |
| − | There is a mechanism (custom-templates) to specify how long your sme certificate will last for, eg you can change the validity to say 5 years (instead of 1 yr), if you feel that security model is acceptable, and that will save users from having to reinstall the sme certificate into their browsers every year eg they will be asked again to install it in 5 years (or less) depending when they first installed it.
| |
| − |
| |
| − | See /etc/e-smith/templates/home/e-smith/ssl.crt
| |
| − |
| |
| − | Copy that fragment from the templates tree to the templates-custom tree
| |
| − |
| |
| − | Do
| |
| − | mkdir -p /etc/e-smith/templates-custom/home/e-smith/
| |
| − | cp /etc/e-smith/templates/home/e-smith/ssl.crt /etc/e-smith/templates-custom/home/e-smith/ssl.crt
| |
| − |
| |
| − | then do
| |
| − | nano -w /etc/e-smith/templates-custom/home/e-smith/ssl.crt
| |
| − |
| |
| − | and change the value for KEYLIFEINDAYS
| |
| − | on the first line to say 1826 for 5 years.
| |
| − |
| |
| − | To to save & exit press the following keys at the same time
| |
| − | ctrl x
| |
| − |
| |
| − | Then you need to force sme server to immediately create a new self signed certificate (with the longer validity period) by issuing the following commands. Note to replace the filenames with the correct file/key names applicable to your server.
| |
| − | rm /home/e-smith/ssl.crt/servername.domain.com.crt
| |
| − | rm /home/e-smith/ssl.key/servername.domain.com.key
| |
| − | rm /home/e-smith/ssl.pem/servername.domain.com.pem
| |
| − | signal-event post-upgrade
| |
| − | signal-event reboot
| |
| − |
| |
| − | or to more thoroughly remove all old & unwanted files do the following (make a backup of files in these folders first, if you have commercial certificates). You should answer y to accept each file removal one at a time.
| |
| − |
| |
| − | rm /home/e-smith/ssl.crt/*
| |
| − | rm /home/e-smith/ssl.key/*
| |
| − | rm /home/e-smith/ssl.pem/*
| |
| − | signal-event post-upgrade
| |
| − | signal-event reboot
| |
| − |
| |
| − | Then add the new 5 year certificate to your browser, and no more questions from your browser until five years time when the certificate validity expires.
| |
| | | | |
| | ===Problem with email client=== | | ===Problem with email client=== |
