3,250
edits
Changes
From SME Server
Jump to navigationJump to search→Commercial certificates
SME 10 also offers SNI support for your apache web server. SNI is a technology allowing recent browser to wait for a specific answer allowing the server to know what domain they want to access before starting the encrypted transaction, this allow httpd to choose the appropirate certificate if multiple are available.
SME 10 also offers SNI support for your apache web server. SNI is a technology allowing recent browser to wait for a specific answer allowing the server to know what domain they want to access before starting the encrypted transaction, this allow httpd to choose the appropirate certificate if multiple are available.
SME Server is designed in a way that the same certificate is shared between all the exposed services offering SSL/TLS communication to a user : httpd, pop, imap, ftp, radiusd, ldap, smtp. The practical approach is if all your hosted domain are included in the SSL ceertificate for httpd... then you can also connect to the imap and smtp using the same domains without any alert from the client software.{{usefulnote}}
SME Server is designed in a way that the same certificate is shared between all the exposed services offering SSL/TLS communication to a user : httpd, pop, imap, ftp, radiusd, ldap, smtp. The practical approach is if all your hosted domain are included in the SSL certificate for httpd... then you can also connect to the imap and smtp using the same domains without any alert from the client software.{{usefulnote}}
===Self signed certificates===
===Self signed certificates===
The certificate created by sme by default is a self signed certificate. That means it is issued by SME Server and as such has not been tested or authenticated by any external certificate issuing Authority eg VeriSign & others etc.
The certificate created by sme by default is a self signed certificate. That means it is issued by SME Server and as such has not been tested or authenticated by any external certificate issuing Authority eg VeriSign & others etc.
config setprop modSSL CommonName www.domain.com
config setprop modSSL CommonName www.domain.com
signal-event ssl-update
signal-event domain-modify
{{Note box | The public certificate (crt) is derived from the private key, so the key has to be generated first before you can generate the certificate otherwise generating of the certificate will fail with cryptic messages}}
{{Note box | The public certificate (crt) is derived from the private key, so the key has to be generated first before you can generate the certificate otherwise generating of the certificate will fail with cryptic messages}}
===Commercial certificates===
===Commercial certificates===
==== Commercial certificate used in place of self signed for whole server ====
Fast and easy solution is to use the contrib to upload your certificate obtained from a third party : [[Certificate ssl management]] . The following informations are more to help you understanding the process behind.
If you use a commercially available certificate & pay money for it, the organisation who issues the certificate pays big money to Microsoft & Mozilla etc to have their root certificate installed in the browser by default. That's why if you use a good quality commercial certificate on your server, then when a visitor to your site accesses https://.... , they will not be asked anything about the certificate mismatching or not being installed etc, as the browser already knows that certificates from say VeriSign are legitimate and happily accepts the connection without question, as it is already trusted. Same for other major brands of commercial certificates.
If you use a commercially available certificate & pay money for it, the organisation who issues the certificate pays big money to Microsoft & Mozilla etc to have their root certificate installed in the browser by default. That's why if you use a good quality commercial certificate on your server, then when a visitor to your site accesses https://.... , they will not be asked anything about the certificate mismatching or not being installed etc, as the browser already knows that certificates from say VeriSign are legitimate and happily accepts the connection without question, as it is already trusted. Same for other major brands of commercial certificates.
/home/e-smith/ssl.crt/
/home/e-smith/ssl.crt/
/home/e-smith/ssl.key/
/home/e-smith/ssl.key/
In the process of copying it is OK to overwrite the existing files if they are the same name.
Also if your CA provided you witth a chain certificate you should create a place to put the chained certificate:
It's also a good idea to delete any existing files in those folders, to keep your system clean.
mkdir /home/e-smith/ssl.chainfile
chmod 700 /home/e-smith/ssl.chainfile
In the process of copying it is NOT OK to overwrite the existing files if they are the self signed generated certificate, as SME will generated them on a regular basis as a failsafe in case something goes wrong with your other certificates.
It is a good idea to delete any existing files in those folders, to keep your system clean, except for the one in use and the self generated ones.
{{Warning box|SME Server 10 and above will maintain a self signed certificate on all time using the hostname and primary domain to generate the name of the files. If you happen to use the same filename for your commercial certificates they will be overwritten on next running event or cron task.}}
Then issue the following db commands so that sme server knows about these these "commercial certificate" files, rather than using the default "self signed" certificate files.
Then issue the following db commands so that sme server knows about these these "commercial certificate" files, rather than using the default "self signed" certificate files.
config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
config setprop modSSL crt /home/e-smith/ssl.crt/imported_{domain}.crt
config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
config setprop modSSL key /home/e-smith/ssl.key/imported_{domain}.key
if needed configure the chain certificate:
config setprop modSSL CertificateChainFile /home/e-smith/ssl.chainfile/imported_{domain}.crt
Note to replace {domain}.crt and {domain}.key with the actual names of your files eg
Note to replace {domain}.crt and {domain}.key with the actual names of your files eg
yourdomain.com.crt and yourdomain.com.key
yourdomain.com.crt and yourdomain.com.key
Follow the above commands with either:
Follow the above commands :
signal-event console-save
signal-event ssl-update
When initially creating and ordering the certificate and supplying the domain name(s) to your chosen commercial supplier, you must include all domains that your server is hosting. sme server only supports one ssl certificate, so therefore to avoid errors for https access using any hosted domain name, the certificate must be created correctly. sme does not cater for multiple certificates for different domains, as it is not technically possible.
When initially creating and ordering the certificate and supplying the domain name(s) to your chosen commercial supplier, you must include all domains that your server is hosting. sme server only supports one ssl certificate, so therefore to avoid errors for https access using any hosted domain name, the certificate must be created correctly. sme does not cater for multiple certificates for different domains, as it is not technically possible.
=== Commercial certificate for a single VirtualHost using Apache SNI ===
==== Commercial certificate for a single VirtualHost using Apache SNI ====
This is new in SME 10. You can keep the generik certificate for all your VirtualHost of apache httpd, except some where you want to define a specific one, which could be a commercial one.
This is new in SME 10. You can keep the generik certificate for all your VirtualHost of apache httpd, except some where you want to define a specific one, which could be a commercial one.
db domains shop.myownbusiness.tld setprop DomainSSLCertificateChainFile /home/e-smith/shop.myownbusiness.tld/chain.pem
db domains shop.myownbusiness.tld setprop DomainSSLCertificateChainFile /home/e-smith/shop.myownbusiness.tld/chain.pem
signal-event remote-access update
signal-event ssl-update
</syntaxhighlight>
</syntaxhighlight>
The end result is you have the two files, .key and .crt. Do not implement the last three steps re importing the certificate to Apache, instead follow the instructions here: http://wiki.contribs.org/Certificates_Concepts#Commercial_certificates
The end result is you have the two files, .key and .crt. Do not implement the last three steps re importing the certificate to Apache, instead follow the instructions here: http://wiki.contribs.org/Certificates_Concepts#Commercial_certificates
=====Testing the migration befoObviously external DNS records have to support that URL ie you would usually setup a wildcard in external DNS records that makes *.yourmaindomain.com resolve to your server IP.re final deployment=====
=====Testing the migration before final deployment=====
Once the SME server is restarted, you can test the certificate from a Windows workstation (without disrupting the customers site) by doing:
Once the SME server is restarted, you can test the certificate from a Windows workstation (without disrupting the customers site) by doing:
If trying to access to any domain pointing to the server and not included in the certificate you will end up with a warning from your browser.
If trying to access to any domain pointing to the server and not included in the certificate you will end up with a warning from your browser.
=== Related Pages ===
=== Related Pages ===
