Certificates signed by own CA

From SME Server
Jump to: navigation, search

Introduction

This document describes how to create an own CA and make certifcates for all your servers signed by the own CA. Users can install the root certificate in the browsers or on mobile devices and then SSL access to all servers in your domain without getting certificate errors. The main purpose is the use in intranet web applications and enabling automatic push synchronization on mobile devices.

Setup

Download and unpack the scripts

cd /root
wget http://mirror.contribs.org/smeserver/contribs/michaelw/sme7/Certificates/ca_certs-0.0.1.tar.gz
tar xzf ca_certs-0.0.1.tar.gz
cd /root/ca_certs

Now open the openssl.cnf file in your editor and adjust the values of the following variables. Do not modfiy anything else.

0.organizationName_default              = My Company
organizationalUnitName_default          = IT Department
localityName_default                    = My City
stateOrProvinceName_default             = My State
countryName_default                     = DE
commonName_default                      = My Company Root CA
emailAddress_default                    = admin@mycompany.de

Generating the Root Certificate

Make the root certificate by running this script. Choose any name you like for COMPANY_NAME, e.g. your company name

./make_root_cert.sh COMPANY_NAME

You are asked to enter a pass phrase. Choose a strong one and memorize it. In the following you are asked to enter information. Just accept the defaults by hitting the enter key. The files private/COMPANY_NAME_ca_priv_key.pem and COMPANY_NAME_ca_cert.crt were created. Keep the private/COMPANY_NAME_ca_priv_key.pem safe and do never publish it! Note: The root certificate has a lifetime of 25 years set by the -days option inside the script.

Generating the Certificate Requests

Repeat the following for all your servers in your domain.

Make a certificate request for a host by running this script and pass the long hostname (FQHN) as the argument, e.g. sme7.mydomain.com

./make_cert_request.sh FQHN

You are asked to enter information. Just accept the defaults by hitting enter. The private key file FQHN.key and and the certificate request files FQHN.csr were created. Keep the private key safe!

Generating the Certificates

Repeat the following for all your servers in your domain. Replace FQHN and COMPANY_NAME by the values you have used in the steps above.

./make_cert.sh FQHN COMPANY_NAME

You are asked to enter the root key pass phrase. The new certificate FQHN.crt has been created and is ready for installation. Note: The root certificate has a lifetime of 10 years set by the -days option inside the script.

Installing the new Certificates on SME Servers

Copy the key and certificate pairs FQHN.key and FQHN.crt to the appropriate SME Servers to /home/e-smith/ssl.crt/FQHN.crt and /home/e-smith/ssl.key/FQHN.key. Then install the new certificate on every SME Server by running

config setprop modSSL crt /home/e-smith/ssl.crt/FQHN.crt
config setprop modSSL key /home/e-smith/ssl.key/FQHN.key
signal-event console-save

Installing the new Certificates on other Servers

Consult the server documentation on how to install a new certificate.

Making the Root Certificate available for Download

Copy the root certificates COMPANY_NAME_ca_cert.crt (PEM format) and COMPANY_NAME_ca_cert_der.crt (binary format) to /home/e-smith/files/ibays/Primary/html/ so that your users can download and install them in their browser or on their mobile device. Mobile devices may require the certificate in the binary DER format, browsers usually accept both formats.