Creating SSL Certificates on SME 6.0 & 7.0

Version3.1

Nick Critten, ncrittenATgmail.com

Note: If you are running SME7, please see my new howto

Adapted from a document originally produced by Shelby L Moore,shelbymATv-cut.com
The original document is no longer at its old location, if anyone knows where it is now located please let me know

V.1.0 4th January, 2003
V.2.0 15th October, 2004
V.2.1 3rd January, 2005
v.2.2 16th April, 2005
v.3.0 7th March, 2006
v.3.1 23rd May, 2006
v.3.1.1 28th June, 2006

---

This is a guide to setup a Self-Signed Certificate or a CA Signed Certificate for your SME 6.x or SME7.0 Server.
This guide has been tested with all versions of SME from SME6.0 up to SME7pre3

---

1.0 Introduction

As previously stated, the original document was created by Shelby L Moore, I needed to create a new SSL certificate for my 6.0b3 Box, and could not find any definitive instructions anywhere, eventually I used Shelby's document (which was for SME5) and help from 2 or three forums to generate this completed document.
Considerable portions from Shelby's original document remain... I sincerely hope that they do not mind

1.1 Thanks

Obviously thanks go to Shelby, for writing the excellent document in the first place, but also to the members of the contribs.org forums, who have helped me out on numerous occasions since my starting to use SME server two or three years ago. I really must start putting more back in and helping others with problems I have overcome.. Hopefully this document is a step in the right direction.

2.0 Procedure

For those who want to get set up as quickly as possible, skip to the end for the summarised instructions, but please read through the document at least once, so that you understand what is going on!

2.1 Create a Private Key

You need to decide if you want your key to require a password. If you choose the password approach you will have to type it in every time your secure Web server starts.

Security Note:  RedHat documentation says disabling the password feature for your secure Web server is a security risk. It is not recommended that you disable the password feature for your secure Web server. However SME  default certificate contains no password, so I go with the no password route.

2.1.1 Private Key with Password

Create your own random key, Type in the following command:

Your system will display a message similar to the following:

You now need to type in your password. For best security, your password should contain at least eight characters, include numbers and/or punctuation, and not be a word in a dictionary. Also, remember that your password is case sensitive.

You will be asked to re-type the password, to verify that it is correct. Once you have typed it in correctly, a file called server.key, containing your key, will be created.

2.1.2 Private Key without Password

So you like living on the edge. No worry, we all do at sometime. Use the following command:

After you use the above command to create your key, you will not need to use a password to start your secure Web server.

2.2 Generate an SSL Certificate

Agian you have a choice. You can make self-signed Certificate or generate a Certificate and send it off to a CA to be signed. The advantage of the CA signed Certificate is most browser packages will then trust your certificate automatically. The disadvantage is the thing will set you back a 100+ bucks. If you are like me you don't have the money so I went with the self-signed, and it is working fine for me. You have to tell the browser to trust the Certificate and then install it on your machine, but you only have to do this one time.

2.2.1 Creating a Self-Signed SSL Certificate

Type the following command to create a self-signed Certificate:

You will see the following output and you will be prompted for your password (unless you generated a key without a password):

After you enter your password (or without a prompt if you created a key without a password), you will be asked for more information. The computer's output and a set of inputs look like the following (you will need to provide the correct information for your site, examples of these are in bold.):

NOTE: When asked for the common name, you must enter the FQDN that the users will be using to access the server. e.g. If the server is primarily an email server, you would probably put mail.domain.com If the FQDN entered by the user does not match the name on the certificate, then the client machine will not trust it.

After you provide the correct information, a self-signed certificate will be created and placed in /home/e-smith/ssl.crt/server.crt

2.2.2 Creating a SSL Certificate Request to Send to a CA

Type the following command to generate a Certificate request, which you will need to send to the CA of your choice:

You will see the following output and you will be prompted for your password (unless you generated a key without a password):

After you enter your password (if you set one), you will be asked for more information. The computer's output and a set of inputs look like the following (you will need to provide the correct information for your site, examples of these are in bold.)

Do not use either of the extra attributes. To continue without entering these fields, just press [Enter] to accepts the blank default for both inputs.
When you have finished entering your information, a file named server.csr will be created. This file is your certificate request, ready to send to your CA.

After you decide on a CA, follow the instructions they provide on their website. Their instructions will tell you how to send your certificate request, and any other documentation that they require, and of course your payment to them.

They will send a certificate to you (usually by email). Save (or cut and paste) the certificate that they send you as /home/e-smith/ssl.crt/server.crt

2.3 Replace old Key and Certificate

Now that we have a key and certificate created we can replace the originals created by our SME server:

The key and Certificate we just created are located in the following directories:

/home/e-smith/ssl.key/server.key
/home/e-smith/ssl.crt/server.crt

There is of course already a key and certificate in each of these directories. They are named like this server.domain.com.crt So lets first backup these files and replace them

We then need to set the owner and group:

And finally we set the permissions:

2.4 Restart Your Secure Server

You can restart your secure server with the following commands: (If you chose to have a password you will be prompted to enter it.)

2.5 Test Your New Certificate

Point your Web browser to say the page for webmail. The URL to access webmail with the secure server will look like this:

If you are using a CA-Signed certificate from a well-known CA, your browser will most likely automatically accept the certificate (without prompting for input) and create the secure connection.

Your browser will not automatically recognize your self-signed certificate, because the certificate is not signed by a CA. Simply follow the instructions provided by your browser to accept the certificate and install it. You will only have to do this one time. Once your browser accepts the certificate you should get the webmail home page. Close your browser and try accessing the page again, notice this time no security warning or prompt.

2.6 Update the Secure email Certificates (SME6 ONLY) (Optional)

Thanks to Jesper Knudsen over at http://sme.swerts-knudsen.com for providing me with this, I hunted high and low to find a fix for this

If you use the Secure Email contrib from pagefault.org , and you have updated the certificates AFTER installing it then the IMAP, POP and SMTP over SSL will still have the old certificate.

Running the following commands will update the certificates

2.7 Finished!

That is all there is to it. You should now have a fully functional and happy secure web server.

Before I go, a few little tips I have picked up researching how to do this all. You can actually view your key and certificate on your SME box with the following commands:

Want your certificate to last longer then a year?
Simply change the -days 365 to say -days 730 and you will have a certificate that last 2 years.

3.0 The Rush Job

So you just want to set up the certificate as quickly as possible eh?
These instructions will quickly set up a self signed certificate with no password..

1. Generate a key
/usr/bin/openssl genrsa 1024 > /home/e-smith/ssl.key/server.key
2. Create the certificate (all one line)
/usr/bin/openssl req -new -key /home/e-smith/ssl.key/server.key -x509 -days 365 -out /home/e-smith/ssl.crt/server.crt
3. Backup and replace old certificate, Set Permissions and owner
cd /home/e-smith/ssl.key
mv servername.domain.com.key old.key
mv server.key servername.domain.com.key
chown root.root servername.domain.com.key
chmod 400 servername.domain.com.key

cd /home/e-smith/ssl.crt
mv servername.domain.com.crt old.crt
mv server.crt servername.domain.com.crt
chown root.root servername.domain.com.crt
chmod 644 servername.domain.com.crt
4. Update Secure email certificates, If you use them. (SME6 Only)
/etc/e-smith/events/actions/imaps-pem-cert
/etc/e-smith/events/actions/pop3s-pem-cert
/etc/e-smith/events/actions/ssmtp-pem-cert
5. Restart the server's
/etc/rc7.d/S86httpd-e-smith restart
/etc/rc7.d/S86httpd-admin restart
6. Secure email (SME7 Only)
If your Secure email certificates have not updated automatically, issue a
signal-event post-upgrade
signal-event reboot
and your certificates will be updated!

End