Certificate Integration startssl.com Server Certificate

From SME Server
Jump to: navigation, search

Introduction

This document describes how to integrate a free SSL-Server Certificate from www.startssl.com. The purpose is the use of your SME-Webserver with modern webbrowsers and mail (and/or groupware) clients which normally do complain about the self signed certificates from a standard SME-Server installation. Certificates from Startcom (or Startssl) are widely accepted by most webclients.

Preparation

Go to www.startssl.com, and sign up under https://www.startssl.com/?app=11&action=regform to get a free account and to install a SingleSignOn-Certificate in your browser (btw: with this certificate you are also ready to sign your emails for one or more email addresses with S/MIME) to authenticate against their configuration panel @ https://auth.startssl.com/. Validate your account as described in the signup process, and then you're ready to get your SSL Server Certificate for your SME-Server.

Important.png Note:
You won't be able to access the login page with the configuration pannel until you sign up AND install the first certificate in your browser!

Creation

Assumed you gave your server a FQDN like "mysmeserver.com" and chose to call your server "www" then you will first set up your new SSL-Certificate in the Startcom panel with your FQDN and in one of the following steps add the server name. Your certificate will then be assigned for

  • mysmeserver.com
  • www.mysmeserver.com

The confirmation email from Startcom will be sent to the user "postmaster", "hostmaster" oder "webmaster"@ your server to be validated by the server admin. To receive this mail be sure to either login at webmail with your admin account or to create a pseudonym for on of these users which will be forwarded to your mainly used account.

Modification

Follow the process in the Startcom panel till the end and until you're ready to directly copy&paste the certificate into a locally created ASCII text file wich you may call ssl.key. Do the same with your ssl.crt. Also make sure, you downloaded the two CertificateChainFile(s) and save them to your desktop:

These two pem-files need to be merged into on single file which you may call bundle.pem: first, paste the content of sub.class1.server.ca.pem and below it, paste the conent of ca.pem Save the file to your desktop and upload the three files via sftp to your server in a directory (e.g. startssl) in /home/e-smith:

  • ssl.key
  • ssl.crt
  • bundle.pem


Important.png Note:
Before you start with the integration of the new SSL Certificate, we need to make a little "modification" to the file ssl.key and are going to rename the files.

Your key is secured with a password which needs to be deleted before the key is integrated into the server db.

This done by a simple command inside the directory (e.g. startssl) where you stored the three files:

openssl rsa -in ssl.key -out www.mysmeserver.com.key

Type in your password, hit Enter and you're almost done.

Finally, rename the remaining files:

  • ssl.crt --> www.mysmeserver.com.crt
  • bundle.pem --> www.mysmeserver.com.pem

Integration

In the terminal type in (as root)

config setprop modSSL crt /home/e-smith/startssl/www.mysmeserver.com.crt
config setprop modSSL key /home/e-smith/startssl/www.mysmeserver.com.key
config setprop modSSL CertificateChainFile /home/e-smith/startssl/www.mysmeserver.com.pem
signal-event console-save
signal-event post-upgrade; signal-event reboot

Enjoy!