Install Certificate in CanIt

From Roaring Penguin
Revision as of 17:41, 14 December 2017 by JAudette (talk | contribs) (Added part 0: acquire certificate)

Jump to: navigation, search

Here's my recommended "best practices" solution to this:

Part 0: Get certificate

Your server(s) will need a SSL certificate. If you use a self-signed/dummy certificate for HTTPS, the vast majority of browsers will throw a security warning. If you use a self-signed/dummy certificate for SMTP/TLS, many SMTP deliveries trying TLS will fail (some do accept invalid certs but not all). Often when the SSL handshake fails the sender does not fall back to insecure SMTP and the mail is not delivered.

Therefore, it is best to get a SSL certificate for your server. Each server will need its own. Wildcard certificates or certificates with Subject Alternate Names may work.

Every certificate provider (Certificate Authority, whoever you choose to sign your certificate) has their own process. Follow their process and at the end you should have:

  • SSL Certificate
  • Private Key
  • Certificate bundle/chain (some CAs provide this, some do not)

Part 1: Install the server's certificate using the Setup : HTTPS function

This function asks you for the cert and its key. It will update files in /etc/ssl/ and it will get HTTPS working for your web interface.

This isn't what you asked for, but later we'll make Sendmail use the same cert/key for TLS. A big bonus of doing it this way is that when the time comes to update the cert/key, you can easily use Setup : HTTPS again and the updates will be used by both Apache and Sendmail. Future key updates are a snap.

Certificate Chain

On the Setup : HTTPS page it says:

Please paste your SSL certificate into the text box below. If your provider supplies a cerficate chain file, paste the contents of that file immediately below your certificate.

When you get your certificate signed by a Certificate Authority, they often provide a "certificate bundle" or "certificate chain". These are additional certificate bits with intermediate certificate information which connect your certificate all the way up the chain to the root CA.

When you paste in your key at Setup : HTTPS, it should look something like this:

... your cert ...

To add the certificate bundle / chain bits, just append them so it looks like this:

... your cert ...
... certificate bundle ...

 NOTE: If you are simply updating your cert/key (or you needed to update it to add the certificate chain bundle bits) and you have already done the steps below then you don't need to redo them but you do need to restart Sendmail to make the new key take effect for SMTP/TLS.

Part 2: Making Sendmail behave

Step (1) will create / update /etc/ssl/private/canit-appliance.key and /etc/ssl/certs/canit-appliance.crt.

We'll leave Sendmail's config file alone; instead we'll just create symlinks in /etc/mail/tls/ to the appropriate files.

These commands will do the business:

  mv /etc/mail/tls/sendmail-client.crt /etc/mail/tls/sendmail-client.crt.orig
  mv /etc/mail/tls/sendmail-server.crt /etc/mail/tls/sendmail-server.crt.orig
  mv /etc/mail/tls/sendmail-common.key /etc/mail/tls/sendmail-common.key.orig
  ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-client.crt
  ln -s /etc/ssl/certs/canit-appliance.crt /etc/mail/tls/sendmail-server.crt
  ln -s /etc/ssl/private/canit-appliance.key /etc/mail/tls/sendmail-common.key

Then restart Sendmail:

/etc/init.d/sendmail restart

Part 3: Enabling TLS in

This is a Sendmail function. First, you need to make sure that STARTTLS is enabled on your server. You do that by putting this line:


in /etc/mail/ somewhere before the MAILER(`local')dnl line.

NOTE: Look closely at the beginning: include(`. Notice the next character after the open bracket is a back-tick (tilde key near ESC on most 105key US keyboard layouts). This is important. Also note, if you copy-paste from above your copy-paste may convert the back-tick to a single quote. Watch out for this.

Then type:

   make -C /etc/mail && /etc/init.d/sendmail restart

You need to do this on all hosts.