Topic: phpki for SSL certificate management

[DanB35]

I'm looking at the wiki for phpki (http://wiki.contribs.org/PHPki), and it sounds great--a web-based pretty GUI for SSL certificate management is a great add-on for SME server.  My main interest is in managing the web server SSL certificate, not really with user certificates, although I will be trying to set up openVPN as well.  I'm having some trouble getting my installation (see http://bugs.contribs.org/show_bug.cgi?id=8682), but in the interim, I'm trying to figure out how this will work with what I'd like it to do.  So, a few questions:

1.  Can I import an existing CA certificate?  I see that the wiki page has instructions for importing certs used with openvpn, but I'm not (yet) using openvpn.  I have, however, created a CA certificate that I've already installed and trusted on my network, and it'd be nice to continue to use that certificate rather than going through the installation of a new cert on the clients.

2.  Can PHPki handle web/mail server certificates?  I'm hoping for the ability to generate a certificate, place the appropriate files in /home/e-smith/ssl.crt and /home/e-smith/ssl.key, make any appropriate config database updates, etc.

3.  If (2) is affirmative, can it handle the SubjectAltName feature to generate a certificate that will be valid for multiple hosts (e.g., www.mydomain.tld, mail.mydomain.tld, and www.myotherdomain.tld)?

[Daniel B.]

I'm having some trouble getting my installation (see http://bugs.contribs.org/show_bug.cgi?id=8682)

I'll take a look at this ASAP

1.  Can I import an existing CA certificate?

Not supported. But you can manually move files around to "import" your existing CA, check how the script on the wiki is doing this.

2.  Can PHPki handle web/mail server certificates?  I'm hoping for the ability to generate a certificate, place the appropriate files in /home/e-smith/ssl.crt and /home/e-smith/ssl.key, make any appropriate config database updates, etc.

Yes, I'm using it for my personal use, where I can't afford a trusted wildcard certificate

3.  If (2) is affirmative, can it handle the SubjectAltName feature to generate a certificate that will be valid for multiple hosts (e.g., www.mydomain.tld, mail.mydomain.tld, and www.myotherdomain.tld)?

No support for SubjectAltName. The best you can do (for now at least) is to create a wildcard cert, say *.mydomain.tld (which will be valid for anything.mydomain.tld)

[DanB35]

SubjectAltName would be a big win, particularly since SME makes support for multiple domains so easy.  A wildcard works fine for multiple hosts on the same domain, but doesn't do anything for a second (or third, fourth, etc.) one.  The ability to manage web/mail server certs is good though.  Thanks for the info!

[DanB35]

I now have it working, after reverting my SME server to PHP 5.3.3.  Very nice, and definitely simplifies creation and management of SSL certs.  I'm thinking I might have been a little unclear in my second question, though.  I can see how I could use phpki to generate the web/mail server key and certificate, but I don't see that it will handle installation--it looks like I need to manually download them, copy them to the right place on the server, update the db configuration entries as appropriate, etc.  Is this correct, or am I missing something obvious?

[Daniel B.]

yes correct, you have to create the certificate, then get the content in PEM format (either by downloading it and opening with a text file, or directly copying file from /opt/phpki/phpki-store/CA/), put the certificate and key in /home/e-smith/ssl.crt and /home/e-smith/ssl.key, configure modSSL to use these new files with something like:

Code: [Select]

db configuration setprop modSSL crt /home/e-smith/ssl.crt/mycert.crt key /home/e-smith/ssl.key/mykey.key
expand-template /etc/httpd/conf/httpd.conf
httpd -t

If httpd -t doesn't show any error, you can finish with:

Code: [Select]

expand-template /home/e-smith/ssl.pem/pem
sv t /service/httpd-e-smith
sv t /service/qpsmtpd
sv t /service/sqpsmtpd
sv t /service/dovecot


[stephdl]

alternatively you have a contrib for managing the certificate (it doesn't create it) http://wiki.contribs.org/Certificate_ssl_management