How to install a certificate signed by a recognized Certificate Authority.

what is a signer certificate

The Citadel system offers SSL /TLS encryption on every protocol it serves. When you initially install the system, a private key and self-signed certificate are automatically generated for you. However, you may wish to purchase a certificate signed by a recognized certificate authority. Alternatively, you may wish to have a certificate that is self-signed, but has the correct Distinguished Name (DN). If you wish to do either of these things, here are the required steps.

generate a private key

While inside the keys directory, run the following command:

Generate a Certificate Signing Request based on that key

Run the following command:

Answer all of the prompts accurately. Observe all of the rules followed by your certificate authority for the distinguished name (DN) of your certificate. For example, the Common Name (CN) must be equivalent to the fully qualified domain name of your server. If you live in the United States, you must also use the full name of the state that you live in, rather than its abbreviation.

Generate a self-signed certificate (if needed for temporary use)

Simply restarting the Citadel server at this point will automatically generate a self-signed certificate using your new key and CSR. Or, you can do it explicitly with this command:

Install the signed certificate

Citadel making it easy

for you

Citadel brings a non interactive way to equip you with basic SSL Certificates, so you can get SSL /HTTPS up and running without any fiddling with openssls commandline tools, howtos reading and so forth.

Drawback under certain conditions

So your Client (be it the Webbrowser or the Emailclient) complains about the Servercertificate like this:

This may happen if you run more than one citadel with self created certificates.

What happened?

Citadels first time setup is designed to ask you as few questions as possible. So some “Questions” kept away from you have to be answered with default values; like the CN field for a self created Certificate Authority (CA). Now your Client is the opinion, that one CA mustn't exist twice (which is right) and barfs on you with the above error message.

So if you installed a “test” installation to find out about citadel, and now did the to be “life” installation, you'll be faced with that error.

If you don't want to replace certificates with ones from a real CA, the easiest way to work around it is WebCits feature to overload the values with yours; remove the defective certificates, and fill these environment Variables:

and restart Webcit in that shell. You can use the created certificates for CitServer too.


Category: Insurance

Similar articles: