I've ordered a certificate for my domain from RapidSSL I want to use on all my services on my server.
This is what I've done so far...:
- Created a CSR by running this commands:
openssl req -new -nodes -keyout www.domainname.tld.key -out www.domainname.tld.csr -newkey rsa:2048
cat www.domainname.tld.csr - Copied the CSR and ordered my certificate from http://www.rapidssl.com/buy-ssl/ssl-certificate/
- When I received my cert by mail, I saved it as www.domainname.tld.crt.
- Downloaded the RapidSSL Intermediate CA from https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=AR1548. Chosed Bundled CA Version (PEM) and saved it as intermediate.crt
- Changed the "Administration interface TCP port" at System --> General to 444
- Enabled all certificates in Certification Authority --> Services Certificates
- Enabled "Listening SSL port" in Web Server. Also changed SSL Support for my domain www.domainname.tld to "Force SSL"
- Copied www.domainname.tld.crt, www.domainname.tld.key and intermediate.crt to /etc/apache2/ssl/ and chmodded them to 400
- Replaced all occurances of SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile in /usr/share/zentyal/stubs/webserver/default-ssl.mas with these values:
SSLCertificateFile /etc/apache2/ssl/www.domainname.tld.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domainname.tld.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt
- Replaced all occurances of SSLCertificateFile, SSLCertificateKeyFile and SSLCertificateChainFile in /usr/share/zentyal/stubs/webserver/vhostHttps.mas with these values:
SSLCertificateFile /etc/apache2/ssl/www.domainname.tld.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domainname.tld.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt - Commented out all occurances of SSLCertificateFile and SSLCACertificatePath in /usr/share/zentyal/stubs/core/apache.mas and replaced each occurance with these values:
SSLCertificateFile /etc/apache2/ssl/www.domainname.tld.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.domainname.tld.key
SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt - Restarted all services with:
/etc/init.d/zentyal restart
Now I can safely:
I suppose all I have to do when certificate expires is to use my original CSR and renew at RapidSSL and then replace /etc/apache2/ssl/www.domainname.tld.crt with the new cert and restart the zentyal service?!
TODO:
- Use SSL with Zarafa Outlook Plug-In does not work. (I see there are references to ssl in /usr/share/zentyal/stubs/zarafa/*.cfg.mas but what should I enter to be able to use my cert?)
- Use SSL with FTP. (I don't use FTP personally, but for this post to be a complete reference, please give advices)
- Use SSL with User Corner. (I don't use User Corner personally, but for this post to be a complete reference, please give advices)
- Use SSL with POP3 and IMAP. (I don't use POP3 or IMAP personally, but for this post to be a complete reference, please give advices)
- Do you know of any usage of SSL in an Zentyal server i have forgot to mension, feel free to comment...
Is it something in my guide You feel that I could have done in a better way, please comment. When this guide is complete I think it would be in Documentation or Wiki.
/ Bengt-Erik