Zentyal Forum, Linux Small Business Server

Zentyal Server => Other modules => Topic started by: sysbes on May 10, 2017, 11:30:04 am

Title: How to replace Zentyal CA certificates and key with an already existing CA
Post by: sysbes on May 10, 2017, 11:30:04 am

The context: we're using a CA which is deployed on all our client machines, and a lot of hosts and web servers.

It seems that Zentyal CA module only allows to issue a new CA using the GUI, but not to import an existing CA. We'd like to use Zentyal to issue new certificates and use them in Zentyal services (admin, web server, VPN).

Is there a way to replace the CA generated through Zentyal's GUI with one created with OpenSSL CLI ?

Title: Re: How to replace Zentyal CA certificates and key with an already existing CA
Post by: pi on May 26, 2017, 11:10:38 am

Zentyal 5.0 ?

For Admin:

Code: [Select]

sudo nano /usr/share/zentyal/stubs/core/nginx.conf.mas
Search for:

Code: [Select]

server {
       listen <% $port %>;

       ssl on;
       ssl_certificate <% $zentyalconfdir %>ssl/ssl.pem;
       ssl_certificate_key <% $zentyalconfdir %>ssl/ssl.pem;
% if ($caFile) {
       ssl_client_certificate <% $caFile %>;
       ssl_verify_client optional;
       ssl_verify_depth 1;
% }
and replace it:

Code: [Select]

server {
       listen <% $port %>;

       ssl on;
       ssl_certificate <directory of cert-files>/cert.pem;
       ssl_certificate_key <directory of cert-files>/key.pem;
       ssl_client_certificate <directory of cert-files>/ca.pem;
       ssl_verify_client optional;
       ssl_verify_depth 1;
For Apache Webserver:

 

Code: [Select]

sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf
Add/Replace Lines:

Code: [Select]

SSLCertificateFile <directory of cert-file>/cert.pem
SSLCertificateKeyFile <directory of key-file>/privkey.pem