Author Topic: How to replace Zentyal CA certificates and key with an already existing CA  (Read 2731 times)

sysbes

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
The context: we're using a CA which is deployed on all our client machines, and a lot of hosts and web servers.

It seems that Zentyal CA module only allows to issue a new CA using the GUI, but not to import an existing CA. We'd like to use Zentyal to issue new certificates and use them in Zentyal services (admin, web server, VPN).

Is there a way to replace the CA generated through Zentyal's GUI with one created with OpenSSL CLI ?

pi

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Zentyal 5.0 ?

For Admin:

Code: [Select]
sudo nano /usr/share/zentyal/stubs/core/nginx.conf.mas
Search for:
Code: [Select]
server {
       listen <% $port %>;

       ssl on;
       ssl_certificate <% $zentyalconfdir %>ssl/ssl.pem;
       ssl_certificate_key <% $zentyalconfdir %>ssl/ssl.pem;
% if ($caFile) {
       ssl_client_certificate <% $caFile %>;
       ssl_verify_client optional;
       ssl_verify_depth 1;
% }

and replace it:

Code: [Select]
server {
       listen <% $port %>;

       ssl on;
       ssl_certificate <directory of cert-files>/cert.pem;
       ssl_certificate_key <directory of cert-files>/key.pem;
       ssl_client_certificate <directory of cert-files>/ca.pem;
       ssl_verify_client optional;
       ssl_verify_depth 1;

For Apache Webserver:

 
Code: [Select]
sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf
Add/Replace Lines:

Code: [Select]
SSLCertificateFile <directory of cert-file>/cert.pem
SSLCertificateKeyFile <directory of key-file>/privkey.pem