Certificate Integration startssl.com Server Certificate
This document describes how to integrate a free SSL-Server Certificate from www.startssl.com. The purpose is the use of your SME-Webserver with modern webbrowsers and mail (and/or groupware) clients which normally do complain about the self signed certificates from a standard SME-Server installation. Certificates from Startcom (or Startssl) are widely accepted by most webclients.
Go to www.startssl.com, and sign up under https://www.startssl.com/?app=11&action=regform to get a free account and to install a SingleSignOn-Certificate in your browser (btw: with this certificate you are also ready to sign your emails for one or more email addresses with S/MIME) to authenticate against their configuration panel @ https://auth.startssl.com/. Validate your account as described in the signup process, and then you're ready to get your SSL Server Certificate for your SME-Server.
Assumed you gave your server a FQDN like "mysmeserver.com" and chose to call your server "www" then you will first set up your new SSL-Certificate in the Startcom panel with your FQDN and in one of the following steps add the server name. Your certificate will then be assigned for
The confirmation email from Startcom will be sent to the user "postmaster", "hostmaster" oder "webmaster"@ your server to be validated by the server admin. To receive this mail be sure to either login at webmail with your admin account or to create a pseudonym for on of these users which will be forwarded to your mainly used account.
Follow the process in the Startcom panel till the end and until you're ready to directly copy&paste the certificate into a locally created ASCII text file wich you may call ssl.key. Do the same with your ssl.crt. Also make sure, you downloaded the two CertificateChainFile(s) and save them to your desktop:
These two pem-files need to be merged into on single file which you may call bundle.pem: first, paste the content of sub.class1.server.ca.pem and below it, paste the conent of ca.pem Save the file to your desktop and upload the three files via sftp to your server in a directory (e.g. startssl) in /home/e-smith:
Your key is secured with a password which needs to be deleted before the key is integrated into the server db.
This done by a simple command inside the directory (e.g. startssl) where you stored the three files:
openssl rsa -in ssl.key -out www.mysmeserver.com.key
Type in your password, hit Enter and you're almost done.
Finally, rename the remaining files:
- ssl.crt --> www.mysmeserver.com.crt
- bundle.pem --> www.mysmeserver.com.pem
In the terminal type in (as root)
config setprop modSSL crt /home/e-smith/startssl/www.mysmeserver.com.crt config setprop modSSL key /home/e-smith/startssl/www.mysmeserver.com.key config setprop modSSL CertificateChainFile /home/e-smith/startssl/www.mysmeserver.com.pem signal-event console-save signal-event post-upgrade; signal-event reboot