Copied from http://www.chaloner.ca/article.php?story=20020922181652718 and edited for formatting only by:
Craig Genner (March 2004)
Richard Osborne (March 2004)


Shelby L Moore, shelbym@v-cut.com 0.1.2, January 7, 2002


This is a guide to setup a Self-Signed Certificate or a CA Signed Certificate for your SME 5 Server.
---
Update by Torsten Lechler, torsten@deep-sea.net @ 30 July 2004
The procedures explained in this document also work for SME 5.6 Server with update 4 and SME Server 6.0.1-01.
Just follow the steps in this document and you are up and running in minutes.
---
Note: This is a first draft of this document (Actually it is my first How-To ever.) if there are any errors or you have suggestions please email me. Thanks.

Have you ever tried using your secure website on SME 5? If you have you know that this pops up a certificate warning dialog. I hate this! Having not found a solution anywhere else I decided to buckle down and solve this myself.

This document is my attempt to explain how I resolved this issue, so you never have to see this dialog again. (Well at least is solves it for a year, your certificate expires then and you will need to create another.)

I would also like to say that I consider myself a Linux novice. I have only been using SME for a few months. What I have learned has been from friends, and the school of hard knocks. If you know of a better way to do anything that follows in this document please pass it on, I would love to learn from your experience.

The latest version of this document can be found at: http://www.v-cut.com

First thanks to Tim Larson, talarson@kepler.covenant.dontspamme.edu This document is based on his IMAP/POP3/SMTP over SSL Guide which can be found here: http://kepler.covenant.edu/talarson. I have borrowed his format and style, without him I probally would not have written this document. I would also like to thank E-Smith now SME for a wonderful product. Truth be told I have never been much of a Linux fan, but this product is quickly changing my mind.

I did this using SME 5 service pack 3 formally known as E-Smith. It might work with other versions - I haven't tried. Let me know of your success/failure.

For those not familiar with E-smith, go to http://www.e-smith.org/. E-smith is a GNU/Linux distribution that is based on Red Hat. It provides a simple way to set up a secure firewall, gateway, printer/file sharing (even with Macs), VPN, and more. Simple in that it takes about half an hour to install and configure all of those services (and all you need to know to configure it is it's IP address, hostname, and the like). Once set up, a web interface is used to administer the machine.

E-smith does not come with make. So you either need to install make and other related tools, or perform this step on another machine that you trust. I installed Red Hat 7.1 on a second hard drive which I used to create the key and certificate. If you do not have access to a second drive or the tools needed to do this I would be happy to create on for you (of course you would have to trust me), just email.

First, cd to the /etc/httpd/conf directory. Remove the fake key and certificate that were generated during the installation with the following commands:

rm ssl.key/server.key
rm ssl.crt/server.crt

Now you have a choice. You need to decide if you want your key to require a password. If you choose the password approach you will have to type it in every time your secure Web server starts.


Security Note: Disabling the password feature for your secure Web server is a security risk. It is not recommended that you disable the password feature for your secure Web server. However I believe you should be able to choose which method you prefer, so I give examples of both methods.


Create your own random key, Type in the following command:

make genkey

Your system will display a message similar to the following:

umask
77 ; /usr/bin/openssl
genrsa -des3 1024 > /etc/httpd/conf/ssl.key/server.key
Generating RSA private key, 1024 bit long modulus
........+++++++

e is 65537 (0x10001)
Enter PEM pass phrase:

You now need to type in your password. For best security, your password should contain at least eight characters, include numbers and/or punctuation, and not be a word in a dictionary. Also, remember that your password is case sensitive.

You will be asked to re-type the password, to verify that it is correct. Once you have typed it in correctly, a file called server.key, containing your key, will be created.

So you like living on the edge. No worry, we all do at sometime. Instead of make genkey use the following command. This command should be typed in entirely on one line:

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

After you use the above command to create your key, you will not need to use a password to start your secure Web server.

Agian you have a choice. You can make self-signed Certificate or generate a Certificate and send it off to a CA to be signed. The advantage of the CA signed Certificate is most browser packages will then trust your certificate automatically. The disadvantage is the thing will set you back a 100+ bucks. If you are like me you don't have the money so I went with the self-signed, and it is working fine for me. You have to tell the browser to trust the Certificate and then install it on your machine, but you only have to do this one time.

Type the following command to create a self-signed Certificate (you should be in: /etc/httpd/conf/):

make testcert

You will see the following output and you will be prompted for your password (unless you generated a key without a password):

umask 77 ;
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:

After you enter your password (or without a prompt if you created a key without a password), you will be asked for more information. The computer's output and a set of inputs look like the following (you will need to provide the correct information for your site, these are in bold.):

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Waco
Organization Name (eg, company) [Internet Widgits]:V-Cut Designs
Organizational Unit Name (eg, section) []:IT
Common Name (your name or server's hostname) []:www.v-cut.com
Email Address []:shelbym@v-cut.com

After you provide the correct information, a self-signed certificate will be created and placed in /etc/httpd/conf/ssl.crt/server.crt

Type the following command to generate a Certificate request, which you will need to send to the CA of your choice:

make certreq

You will see the following output and you will be prompted for your password (unless you generated a key without a password):

umask 77 ;
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -out /etc/httpd/conf/ssl.csr/server.csr
Using configuration from /usr/share/ssl/openssl.cnf
Enter PEM pass phrase:

After you enter your password (or without a prompt if you created a key without a password), you will be asked for more information. The computer's output and a set of inputs look like the following (you will need to provide the correct information for your site, these are in bold.):

Country Name (2 letter code) [US]:US
State or Province Name (full name) [Some-State]:Texas
Locality Name (eg, city) []:Waco
Organization Name (eg, company) [Internet Widgits]:V-Cut Designs
Organizational Unit Name (eg, section) []:IT
Common Name (your name or server's hostname) []:www.v-cut.com
Email Address []:shelbym@v-cut.com
Please enter the following 'extra' attributes
to be sent withy our certificate request
A challenge password []:
An optional company name []:

Do not use either of the extra attibutes. To continue without entering these fields, just press [Enter] to accepts the blank default for both inputs.

When you have finished entering your information, a file named server.csr will be created. This file is your certificate request, ready to send to your CA.

After you decide on a CA, follow the instuctions they provide on their website. Their instructions will tell you how to send your certificate request, and any other documentation that they require, and of course your payment to them.

They will send a certificate to you (usually by email). Save (or cut and paste) the certificate that they send you as /etc/httpd/conf/ssl.crt/server.crt

Now that we have a key and certificate created we can place them on our SME server. I simply used a floppy disk to transfer the files, you could just as easily FTP them or what ever:

The key and Certificate we just created are located in the following directories on the Red Hat server:

/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/server.crt

Here is the kicker they don't go to the same directory on the SME box. You need to place them here:

/home/e-smith/ssl.key/server.key
/home/e-smith/ssl.crt/server.crt

There is of course already a key and certificate in each of these directories. Agian there are not named like you might think. They are named like this secure.your_domain.com.crt So lets first rename these files to keep as a backup.

cd /home/e-smith/ssl.key
mv secure.v-cut.com.key old.key

cd /home/e-smith/ssl.crt
mv secure.v-cut.com.crt old.crt

We then can rename our newly created key and certificate:

cd /home/e-smith/ssl.key
mv server.key secure.v-cut.com.key

cd /home/e-smith/ssl.crt
mv server.crt secure.v-cut.com.crt

We then need to set the owner and group:

chown root.root /home/e-smith/ssl.key/secure.v-cut.com.key
chown root.root /home/e-smith/ssl.crt/secure.v-cut.com.crt

And finally we set the permissions:

chmod 400 /home/e-smith/ssl.key/secure.v-cut.com.key
chmod 644 /home/e-smith/ssl.crt/secure.v-cut.com.crt

You can restart your secure server with the following command: (If you choose to have a password you will be prompted to enter it.)

/etc/rc.d/init.d/httpd restart

Point your Web browser to say the page for webmail. The URL to access webmail with the secure server will look like this:

https://www.v-cut.com/webmail

If you are using a CA-Signed certificate from a well-known CA, your browser will most likely automatically accept the certificate (without prompting for input) and create the secure connection.

Your browser will not automatically recognize your self-signed certificate, because the certificate is not signed by a CA. Simply follow the instructions provided by your browser to accept the certificate and install it. You will only have to do this one time. Once your browser accepts the certificate you should get the webmail home page. Close your browser and try accessing the page again, notice this time no security warning or prompt.

That is all there is to it. You should now have a fully functional and happy secure web server.

Before I go, one more little tip I picked up researching how to do this all. You can actually view your key and certificate on your SME box with the following commands:

openssl rsa -noout -text -in secure.v-cut.com.key
openssl x509 -noout -text -in secure.v-cut.com.crt


If like me you connect to your server using ssl to check your e-mails then you may need to do the following:

6.0.1-01
mv /var/service/imap/ssl/imapd.pem /var/service/imap/ssl/imapd.pem.old
mv /usr/share/ssl/certs/ipop3d.pem /usr/share/ssl/certs/ipop3d.pem.old
cat /home/e-smith/ssl.key/secure.v-cut.com.key > /var/service/imap/ssl/imapd.pem
cat /home/e-smith/ssl.crt/secure.v-cut.com.crt >> /var/service/imap/ssl/imapd.pem
cp /var/service/imap/ssl/imapd.pem /usr/share/ssl/certs/ipop3d.pem

5.6
mv /usr/share/ssl/certs/imapd.pem /usr/share/ssl/certs/imapd.pem.old
mv /usr/share/ssl/certs/ipop3d.pem /usr/share/ssl/certs/ipop3d.pem.old
cat /home/e-smith/ssl.key/secure.v-cut.com.key > /usr/share/ssl/certs/imapd.pem
cat /home/e-smith/ssl.crt/secure.v-cut.com.crt >> /usr/share/ssl/certs/imapd.pem
cp /usr/share/ssl/certs/imapd.pem /usr/share/ssl/certs/ipop3d.pem

Using a mail subdomain
To use a serperate subdmain for mail all you need to do is create a seperate certificate for it eg. mail.v-cut.com and use it instead.
/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /home/e-smith/ssl.crt/mail.v-cut.com.crt
cat /home/e-smith/ssl.key/secure.v-cut.com.key > /usr/share/ssl/certs/imapd.pem
cat /home/e-smith/ssl.crt/mail.v-cut.com.crt >> /usr/share/ssl/certs/imapd.pem

Location of files for the 6.0.1-01 addon
Here's the commands to update the ssl certificates for the securemail addon for by pagefault.org
cp /var/service/imap/ssl/imapd.pem /var/service/ssl-smtpfront-qmail/ssl/ssmtpd.pem
cp /var/service/imap/ssl/imapd.pem /var/service/ssl-imap/ssl/imapsd.pem
cp /var/service/imap/ssl/imapd.pem /var/service/ssl-popd/ssl/pop3s.pem
chmod 640 /var/service/ssl-imap/ssl/imapsd.pem /var/service/ssl-popd/ssl/pop3s.pem /var/service/ssl-smtpfront-qmail/ssl/ssmtpd.pem /var/service/imap/ssl/imapd.pem
chown qmaild:nofiles /var/service/ssl-smtpfront-qmail/ssl/ssmtpd.pem

How to get users to install the Certificates
Simply email or copy the server.crt to the webserver and get users to download the file. This is the files that users need to install to get rid of the warning.