SSL Certificates on SME 6.x

Original documentation by Shelby L Moore, shelbym@v-cut.com

Revised & updated by Nick Ramsay, Witzend Computer Services

Last edit: 12 November 2007

This is a guide to setup a Self-Signed Certificate or a CA Signed Certificate for your SME 6.x Server.

FOREWORD

Shelby Moore seems to have disappeared from the 'net some time in 2003, but his guide is extremely useful for anyone running an SME server requiring to regenerate the SSL certificate for any reason. I have basically taken Shelby's document & done some light editing / reformatting. The content is basically all Shelby's work.

Nick Ramsay

1. Introduction

Have you ever tried using your secure website on SME 6.x? If you have then you know that this pops up a certificate warning dialog. Having not found a solution anywhere else I decided to buckle down and solve this myself.

This document is my attempt to explain how I resolved this issue, so you never have to see this dialog again. (Well, by default it solves it for a year, your certificate expires then and you will need to create another.)

I would also like to say that I still consider myself a Linux novice. I have only been using SME for a year now. What I have learned has been from friends, and the school of hard knocks. If you know of a better way to do anything that follows in this document please pass it on, I would love to learn from your experience.

The latest version of this document can be found at:

http://www.witzendcs.co.uk/html/SSL-Certificates-on-SME6.html

 

1.1 Thanks

First thanks to Tim Larson, talarson@kepler.covenant.dontspamme.edu This document is based on his IMAP/POP3/SMTP over SSL Guide which can be found here: http://kepler.covenant.edu/~talarson/ssl/SSL-Email-HOWTO.html I have borrowed his format and style, without him I probably would not have written this document. I would also like to thank E-Smith now SME for a wonderful product.

Second, a very big thanks to Damien Curtain.  If not for his securemailHowTo and packages I would still be using SME 5.1.2.  You can read and download these at:  http://lordsfamnet/downloads/production/securemail/howto.html

1.2 E-Smith is now SME Server

I did this using SME 6.x service pack 1 formerly known as E-Smith. It might work with other versions - I haven't tried. [Note from NR: I have tried & this procedure will work on E-Smith 5.x and SME 6.5 also]

For those not familiar with SME Server, go to http://www.contribs.org. SME Server is a GNU/Linux distribution that is based on Red Hat. It provides a simple way to set up a secure firewall, gateway, printer/file sharing (even with Macs), VPN, and more. Simple in that it takes about half an hour to install and configure all of those services (and all you need to know to configure it is its IP address, hostname, and the like). Once set up, a web interface is used to administer the machine.

2. Procedure

2.1 Create a Private Key

You need to decide if you want your key to require a password.

NB: If you choose the password approach you will have to type it in every time your secure Web server starts.

Security Note:  RedHat documentation says disabling the password feature for your secure Web server is a security risk. It is not recommended that you disable the password feature for your secure Web server.

However the SME 6.x default certificate contains no password, so I go with the no password route.

 

2.1.1 Private Key without Password – Recommended for compatibility

So you like living on the edge. No worries, we all do at sometime. Use the following command:

  • /usr/bin/openssl genrsa 1024 > /home/e-smith/ssl.key/server.key

After you use the above command to create your key, you will not need to use a password to start your secure Web server.

2.1.2 Private Key with Password - Use with caution!

Create your own random key, Type in the following command:

  • /usr/bin/openssl genrsa -des3 1024 > /home/e-smith/ssl.key/server.key

Your system will display a message similar to the following:

Generating RSA private key, 1024 bit long modulus

........+++++++

........+++++++

e is 65537 (0x10001)

Enter PEM pass phrase:

You now need to type in your password. For best security, your password should contain at least eight characters, include numbers and/or punctuation, and not be a word in a dictionary. Also, remember that your password is case sensitive.

You will be asked to re-type the password, to verify that it is correct. Once you have typed it in correctly, a file called server.key, containing your key, will be created.

2.2 Generate a SSL Certificate

Again, you have a choice. You can make self-signed Certificate or generate a Certificate and send it off to a CA to be signed. The advantage of the CA signed Certificate is most browser packages will then trust your certificate automatically. The disadvantage is the thing will set you back a 100+ bucks. If you are like me you don't have the money so I went with the self-signed, and it is working fine for me. You have to tell the browser to trust the Certificate and then install it on your machine, but you only have to do this one time.

2.2.1 Creating a Self-Signed SSL Certificate - The default for SME

Type the following command to create a self-signed Certificate:

  • /usr/bin/openssl req -new -key /home/e-smith/ssl.key/server.key -x509 -days 365 -out /home/e-smith/ssl.crt/server.crt

You will see the following output and you will be prompted for your password (unless you generated a key without a password):

Enter PEM pass phrase:

After you enter your password (or without a prompt if you created a key without a password), you will be asked for more information. The computer's output and a set of inputs look like the following (you will need to provide the correct information for your site, these are in bold.):

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Waco
Organization Name (eg, company) [Internet Widgits]:V-Cut Designs
Organizational Unit Name (eg, section) []:IT
Common Name (your name or server's hostname) []:www.v-cut.com
Email Address []:shelbym@v-cut.com

After you provide the correct information, a self-signed certificate will be created and placed in /home/e-smith/ssl.crt/server.crt

2.2.2 Creating a SSL Certificate Request to Send to a CA

Type the following command to generate a Certificate request, which you will need to send to the CA of your choice:

  • /usr/bin/openssl req -new -key /home/e-smith/ssl.key/server.key -out /home/e-smith/ssl.crt/server.csr

You will see the following output and you will be prompted for your password (unless you generated a key without a password):

Enter PEM pass phrase:

After you enter your password (or without a prompt if you created a key without a password), you will be asked for more information. The computer's output and a set of inputs look like the following (you will need to provide the correct information for your site, these are in bold.):

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Waco
Organization Name (eg, company) [Internet Widgits]:V-Cut Designs
Organizational Unit Name (eg, section) []:IT
Common Name (your name or server's hostname) []:www.v-cut.com
Email Address []:shelbym@v-cut.com
Please enter the following 'extra' attributes
to be sent with our certificate request
A challenge password []:
An optional company name []:

Do not use either of the extra attributes. To continue without entering these fields, just press [Enter] to accepts the blank default for both inputs.

When you have finished entering your information, a file named server.csr will be created. This file is your certificate request, ready to send to your CA.

After you decide on a CA, follow the instructions they provide on their website. Their instructions will tell you how to send your certificate request, and any other documentation that they require, and of course your payment to them.

They will send a certificate to you (usually by email). Save (or cut and paste) the certificate that they send you as

/home/e-smith/ssl.crt/server.crt

2.3 Replace old Key and Certificate

Now that we have a key and certificate created we can replace the originals created by our SME server:

The key and Certificate we just created are located in the following directories:

  • /home/e-smith/ssl.key/server.key
  • /home/e-smith/ssl.crt/server.crt

There is of course already a key and certificate in each of these directories. They are named like this hostname.your_domain.com.crt So lets first rename these files to keep as a backup.

  • cd /home/e-smith/ssl.key
  • mv webhost.v-cut.com.key old.key
  • cd /home/e-smith/ssl.crt
  • mv webhost.v-cut.com.crt old.crt

We then can rename our newly created key and certificate:

  • cd /home/e-smith/ssl.key
  • mv server.key webhost.v-cut.com.key
  • cd /home/e-smith/ssl.crt
  • mv server.crt webhost.v-cut.com.crt

We then need to set the owner and group.

  • chown root.root /home/e-smith/ssl.key/secure.v-cut.com.key
  • chown root.root /home/e-smith/ssl.crt/secure.v-cut.com.crt

And finally we set the permissions:

  • chmod 400 /home/e-smith/ssl.key/secure.v-cut.com.key
  • chmod 644 /home/e-smith/ssl.crt/secure.v-cut.com.crt

2.4 Restart Your Secure Server

You can restart your secure server with the following commands: (If you chose to have a password you will be prompted to enter it.)

  • service httpd restart
  • service httpd-admin restart

2.5 Test Your New Certificate

Point your Web browser to say the page for webmail. The URL to access webmail with the secure server will look like this:

https://www.v-cut.com/webmail

If you are using a CA-Signed certificate from a well-known CA, your browser will most likely automatically accept the certificate (without prompting for input) and create the secure connection.

Your browser will not automatically recognize your self-signed certificate, because the certificate is not signed by a CA. Simply follow the instructions provided by your browser to accept the certificate and install it. You will only have to do this one time. Once your browser accepts the certificate you should get the webmail home page. Close your browser and try accessing the page again, notice this time no security warning or prompt.

2.6 Finished!

That is all there is to it. You should now have a fully functional and happy secure web server.

Before I go, a few little tips I have picked up researching how to do all this. You can actually view your key and certificate on your SME box with the following commands:

  • openssl rsa -noout -text -in secure.v-cut.com.key
  • openssl x509 -noout -text -in secure.v-cut.com.crt

Want your certificate to last longer than a year?  Simply change the -days 365 to, say, -days 730 and you will have a certificate that will last 2 years.

If you connect to your server using SSL to check your e-mails then you may need to do the following:

  • /etc/e-smith/events/actions/imaps-pem-cert
  • /etc/e-smith/events/actions/pop3s-pem-cert
  • /etc/e-smith/events/actions/ssmtp-pem-cert

If you would like to customize the name and location of your key and certificate (which you should do if you have a CA-issued certificate) try this:

  • /sbin/e-smith/config setprop modSSL crt /path/to/your/cert
  • /sbin/e-smith/config setprop modSSL key /path/to/your/key
  • /sbin/e-smith/signal-event ldap-update