SSL certificates are the de-facto standard for encrypting information sent over a network and can also be used to provide authentication. It is an extra layer of security used by OpenVPN, Webconfig and other apps.
The Certificate Manager is a dual purpose app:
For the System Administrator to administer system certificates, both generating self-signed certificates and requesting then importing commercially signed certificated
For the User to administer their user certificates for use in OpenVPN
The Certificate Manager provides an administrator with the ability to create a Certificate Authority (CA) which can then be installed as a trusted CA on any operating system, or web browser to secure communications between two computers. Creating your own CA and using it to sign certificates is termed self-signing.
Self-signing of certificates is as secure as purchasing signed SSL certificates from a Trusted CA like Thawte or Verisign, where prices range from $50-300 per year. Self-signing is extremely convenient (and cost effective!) if you are providing access to known users (for example, employees, clients, vendors etc.). It is less convenient than a Trusted CA when dealing with unknown users such as website visitors using a browser to access your online store using HTTPS (HTTP over SSL), since the user will be prompted by their browser to trust the certificate that is presented to them.
The Certificate Manager also supports importing certificates from a Trusted CA like Thawte or Verisign, or a Self-signed CA, and the creation of a Key and CSR (certificate Signing Request) which is needed to purchase a signed SSL certificate from a Trusted CA.
If your system does not have this app available, you can install it via the Marketplace.
Once installed, you can find this feature in the menu system at the following location:
During the ClearOS installation wizard, the system automatically generates default certificates to use on your system. If you would prefer generating your own certificates, you can delete the defaults through the web-based interface. We only recommend doing this on a new installation! If end-users are already using their certificates (for OpenVPN for example), then resetting the Certificate Authority will require resetting all the end-user certificates as well.
Creating a Certificate Authority and Default Certificate
A Certificate Authority (or CA) is a trusted entity which issues digital certificates for use in cryptography and/or authentication. The Certificate Manager app allows you to create your own CA that one can then use to sign and validate certificates. You can have users download and import this CA to validate certificates presented to them. A common and cost-effective use of a self-signed certificate is the SSL certificate that encrypts communications in the webconfig User Interface.
A brief description and suggested defaults is provided in the following sections.
This is the RSA key length. The key length is a compromise between security and speed. Anything below 1024-bits can theoretically be cracked by brute force techniques and 1024-bits is now at risk. Note, this is the RSA key size and will not impact, for example, the encryption strength of a web browsing session (typically 128-bit, but could be 40-bit or 256-bit) that is dictated by the capabilities/settings of both the client web-browser and server.
In 2015 NIST changed their guidance to disallow key lengths less than 2048-bits. (reference)
The Internet Hostname (sometimes referred to as “Common Name”) should be the hostname that is used to access your system from the Internet. If you are running system as a standalone server on your local network, your Internet Hostname (e.g. myserver.example.com) may differ from the internal hostname used by ClearOS (e.g. myserver.lan). To avoid a browser warning, the Internet Host Name should be the same as the FQDN you use to access your server.
Typically the company name or person responsible for the CA. Example - ClearCenter.
In larger organizations, the organization unit might be a department within the company, such as IT Department.
The organization's city - for example, Toronto.
State, Province or Region
The organization's state or province - for example, Ontario or ON. Leave blank if this does not apply.
The organization's country - for example, Canada.
From this section you can view your current certificates, import new ones and create Key/CSR pair.
Click on the button dropdown and select Import.
This is the nickname of how you would like the certificate to be known in the Webconfig. You are restricted to alphanumeric characters and “-” or “_”. You can also have a “.” anywhere in the middle of the name, but due to what appears to be a bug you can only have one character after each “.” so you can't yet use a FQDN.
Select your certificate file here.
This file can be a combined Certificate file and Intermediate file or even a combined Certificate, Intermediate and CA file. If you want to use your certificate for e-mail programs, please combine them in any text editor, putting the Certificate above the Intermediate Certificate (and then the CA if it is a self-signed CA). For the Web Server or Webconfig you do not need to combine the files.
Select your key file here. Note that the key file must not be password protected or the import will fail.
It is sometimes also called a Chain file. This is generally needed for external certificates but is not needed if you have uploaded a combined Certificate and Intermediate file.
Certificate Authority File
This is only needed if the CA signing the certificates is Self-Signed rather than publicly trusted. If you need this file, you will probably not need an Intermediate file.
Creating CSR/Key Pair
This is for creating a CSR (Certificate Signing Request) to send to a CA for signing and a matching key.
Click on the button dropdown and select Create CSR/Key Pair.
Fill in the fields on next screen.
This will take its defaults from when you created your own CA.
The Common Name is the same as the Internet Hostname mentioned above.
Once you have created your CSR and Key you will see it listed in the External Certificates section. Click on the button and download the Certificate Signing Request and send it to your chosen CA for signing. You do not need to send them your key. This is private and should be kept secret.
When you get your signed certificate and intermediate certificate back from your CA, click on the button beside the CSR to import them back into ClearOS. This is similar to the earlier Import screen but without the option of importing the Key (which you already have) or a Self-Signed CA. The same comment applies about combining the files if you want to use the certificate in e-mail programs.
User Certificates - PKCS12
The Personal Information Exchange Syntax Standard (or PKCS12) file is an industry standard format for storing or transporting a user's private keys, certificates or other secret information. The PKCS12 file format can used by some of the apps in ClearOS, notably OpenVPN and Zarafa Mail.
Creating User Certificates
The end user is responsible for creating their own certificates. The end user will need to login to Webconfig using their own username and password. They can then browse to My Accounts|Accounts|User Certificates in the menu. The first time the end user visits the page, they will be presented with an opportunity to enter a password to generate certificates. Once the certificates have been generated, the end user can download and install the certificates.