Install Certificate in CanIt

From Roaring Penguin
Jump to: navigation, search

Here's my recommended "best practices" solution to this:

Part 1: Install the server's certificate using the Setup : HTTPS function

This function asks you for the cert and its key. It will update files in /etc/ssl/ and it will get HTTPS working for your web interface.

This isn't what you asked for, but later we'll make Sendmail use the same cert/key for TLS. A big bonus of doing it this way is that when the time comes to update the cert/key, you can easily use Setup : HTTPS again and the updates will be used by both Apache and Sendmail. Future key updates are a snap.

Certificate Chain

On the Setup : HTTPS page it says:

Please paste your SSL certificate into the text box below. If your provider supplies a cerficate chain file, paste the contents of that file immediately below your certificate.

When you get your certificate signed by a Certificate Authority, they often provide a "certificate bundle" or "certificate chain". These are additional certificate bits with intermediate certificate information which connect your certificate all the way up the chain to the root CA.

When you paste in your key at Setup : HTTPS, it should look something like this:

-----BEGIN CERTIFICATE-----
... your cert ...
-----END CERTIFICATE-----

To add the certificate bundle / chain bits, just append them so it looks like this:

-----BEGIN CERTIFICATE-----
... your cert ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... certificate bundle ...
-----END CERTIFICATE-----

 NOTE: If you are simply updating your cert/key (or you needed to update it to add the certificate chain bundle bits) and you have already done the steps below then you don't need to redo them but you do need to restart Sendmail to make the new key take effect for SMTP/TLS.


Part 2: Making Sendmail behave

Step (1) will create / update /etc/ssl/private/canit-appliance.key and /etc/ssl/certs/canit-appliance.crt.

We'll leave Sendmail's config file alone; instead we'll just create symlinks in /etc/mail/tls/ to the appropriate files.

These commands will do the business:

  mv /etc/mail/tls/sendmail-client.crt /etc/mail/tls/sendmail-client.crt.orig
  mv /etc/mail/tls/sendmail-server.crt /etc/mail/tls/sendmail-server.crt.orig
  mv /etc/mail/tls/sendmail-common.key /etc/mail/tls/sendmail-common.key.orig
  ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-client.crt
  ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-server.crt
  ln -s /etc/ssl/private/canit-appliance.key /etc/mail/tls/sendmail-common.key

Then restart Sendmail:

/etc/init.d/sendmail restart

Part 3: Enabling TLS in sendmail.mc

This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:

   include(`/etc/mail/tls/starttls.m4')dnl

in /etc/mail/sendmail.mc somewhere before the MAILER(`local')dnl line.

NOTE: Look closely at the beginning: include(`. Notice the next character after the open bracket is a back-tick (tilde key near ESC on most 105key US keyboard layouts). This is important. Also note, if you copy-paste from above your copy-paste may convert the back-tick to a single quote. Watch out for this.

Then type:

   make -C /etc/mail && /etc/init.d/sendmail restart

You need to do this on all hosts.