Changes

From SME Server
Jump to navigationJump to search

Certificates Concepts (view source)

Revision as of 14:42, 17 January 2023

715 bytes removed ,  14:42, 17 January 2023
→‎Commercial certificates
Line 122: Line 122:     
===Commercial certificates===
 
===Commercial certificates===
 +
 +
==== Commercial certificate used in place of self signed for whole server  ====
 +
Fast and easy solution is to use the contrib to upload your certificate  obtained from a third party : [[Certificate ssl management]] . The following informations are more to help you understanding the process behind.
 +
 
If you use a commercially available certificate & pay money for it, the organisation who issues the certificate pays big money to Microsoft & Mozilla etc to have their root certificate installed in the browser by default. That's why if you use a good quality commercial certificate on your server, then when a visitor to your site accesses https://.... , they will not be asked anything about the certificate mismatching or not being installed etc, as the browser already knows that certificates from say VeriSign are legitimate and happily accepts the connection without question, as it is already trusted. Same for other major brands of commercial certificates.
 
If you use a commercially available certificate & pay money for it, the organisation who issues the certificate pays big money to Microsoft & Mozilla etc to have their root certificate installed in the browser by default. That's why if you use a good quality commercial certificate on your server, then when a visitor to your site accesses https://.... , they will not be asked anything about the certificate mismatching or not being installed etc, as the browser already knows that certificates from say VeriSign are legitimate and happily accepts the connection without question, as it is already trusted. Same for other major brands of commercial certificates.
   Line 132: Line 136:  
  /home/e-smith/ssl.crt/
 
  /home/e-smith/ssl.crt/
 
  /home/e-smith/ssl.key/
 
  /home/e-smith/ssl.key/
      +
Also if your CA provided you witth a chain certificate you should create a place to put the chained certificate:
 +
  mkdir /home/e-smith/ssl.chainfile
 +
  chmod 700 /home/e-smith/ssl.chainfile
 
In the process of copying it is NOT OK to overwrite the existing files if they are the self signed generated certificate, as SME will generated them on a regular basis as a failsafe in case something goes wrong with your other certificates.
 
In the process of copying it is NOT OK to overwrite the existing files if they are the self signed generated certificate, as SME will generated them on a regular basis as a failsafe in case something goes wrong with your other certificates.
 
It is a good idea to delete any existing files in those folders, to keep your system clean, except for the one in use and the self generated ones.  
 
It is a good idea to delete any existing files in those folders, to keep your system clean, except for the one in use and the self generated ones.  
Line 142: Line 148:  
  config setprop modSSL crt /home/e-smith/ssl.crt/imported_{domain}.crt
 
  config setprop modSSL crt /home/e-smith/ssl.crt/imported_{domain}.crt
 
  config setprop modSSL key /home/e-smith/ssl.key/imported_{domain}.key
 
  config setprop modSSL key /home/e-smith/ssl.key/imported_{domain}.key
 +
if needed configure the chain certificate:
 +
  config setprop modSSL CertificateChainFile /home/e-smith/ssl.chainfile/imported_{domain}.crt
    
Note to replace {domain}.crt and {domain}.key with the actual names of your files eg
 
Note to replace {domain}.crt and {domain}.key with the actual names of your files eg
Line 207: Line 215:     
If trying to access to any domain pointing to the server and not included in the certificate you will end up with a warning from your browser.
 
If trying to access to any domain pointing to the server and not included in the certificate you will end up with a warning from your browser.
  −
===Custom Certificate===
  −
(Provided by jester November 2010)
  −
There is also the possibility one is getting a custom certificate from an [http://en.wikipedia.org/wiki/Intermediate_certificate_authorities Intermediate Certificate Authority], if this is the case you'll get one or more intermediate certificates, establishing a "chain of trust" from your own certificate to a trusted root CA.
  −
  −
* If more than one intermediate certificate, concatenate them into a single certificate chain file:
  −
  cat <intermediate1>.crt <intermediate2>.crt <intermediate3.crt> > <chain-file-name>.crt
  −
  −
* Create a place to put the chained certificate:
  −
  mkdir /home/e-smith/ssl.chainfile
  −
  chmod 700 /home/e-smith/ssl.chainfile
  −
  −
* Copy the certificate chain file to its location:
  −
  cp <chain-file-name>.crt /home/e-smith/ssl.chainfile/
  −
  −
* Configure the SME database:
  −
  config setprop modSSL CertificateChainFile /home/e-smith/ssl.chainfile/<chain-file-name>.crt
  −
  −
* Apply the changes:
  −
  signal-event ssl-update
  −
  −
You can use the service at https://ssltools.geotrust.com/checker/views/certCheck.jsp to check your installation.
  −
  −
Hope all the above makes sense.
  −
  −
Read it again carefully and slowly if it doesn't.
  −
  −
This article is based on information given by mary in [http://forums.contribs.org/index.php/topic,42522.0.html this thread] in the contribs.org Forums.
      
=== Related Pages ===
 
=== Related Pages ===
Unnilennium
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,240

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/41934"

Navigation menu