SSL certificates are the de-facto standard for encrypting information sent over a network and can also be used to provide authentication. It is an extra layer of security used by OpenVPN, Webconfig and other apps.
The Certificate Manager provides an administrator with the ability to create a Certificate Authority (CA) which can then be installed as a trusted CA on any operating system, or web browser to secure communications between two computers. Creating your own CA and using it to sign certificates is termed self-signing.
Self-signing of certificates is as secure as purchasing signed SSL certificates from a Trusted CA like Thawte or Verisign, where prices range from $50-300 per year. Self-signing is extremely convenient (and cost effective!) if you are providing access to known users (for example, employees, clients, vendors etc.). It is less convenient than a Trusted CA when dealing with unknown users such as website visitors using a browser to access your online store using HTTPS (HTTP over SSL), since the user will be prompted by their browser to trust the certificate that is presented to them.
If your system does not have this app available, you can install it via the Marketplace.
During the ClearOS installation wizard, the system automatically generates default certificates to use on your system. If you would prefer generating your own certificates, you can delete the defaults through the web-based interface. We only recommend doing this on a new installation! If end-users are already using their certificates (for OpenVPN for example), then resetting the Certificate Authority will require resetting all the end-user certificates as well.
Creating a Certificate Authority and Default Certificate
A Certificate Authority (or CA) is a trusted entity which issues digital certificates for use in cryptography and/or authentication. The Certificate Manager app allows you to create your own CA that one can then use to sign and validate certificates. You can have users download and import this CA to validate certificates presented to them. A common and cost-effective use of a self-signed certificate is the SSL certificate that encrypts communications in the webconfig User Interface.
A brief description and suggested defaults is provided in the following sections.
This is the RSA key length. 1024-bits is a good compromise between security and speed. Anything below 1024-bits can theoretically be cracked by brute force techniques. Note, this is the RSA key size and will not impact, for example, the encryption strength of a web browsing session (typically 128-bit, but could be 40-bit or 256-bit) that is dictated by the capabilities/settings of both the client web-browser and server.
The Internet Hostname (sometimes referred to as “Common Name”) should be the hostname that is used to access your system from the Internet. If you are running system as a standalone server on your local network, your Internet Hostname (e.g. myserver.example.com) may differ from the internal hostname used by ClearOS (e.g. myserver.lan).
Typically the company name or person responsible for the CA. Example - ClearCenter.
In larger organizations, the organization unit might be a department within the company, such as IT Department.
The organization's city - for example, Toronto.
State, Province or Region
The organization's state or province - for example, Ontario or ON. Leave blank if this does not apply.
The organization's country - for example, Canada.
User Certificates - PKCS12
The Personal Information Exchange Syntax Standard (or PKCS12) file is an industry standard format for storing or transporting a user's private keys, certificates or other secret information. The PKCS12 file format is used by some of the apps in ClearOS, notably OpenVPN, Webconfig and Zarafa Mail.
Creating User Certificates
The end user is responsible for creating their own certificates. The end user will need to login to Webconfig using their own username and password. They can then browse to My Accounts|Accounts|User Certificates in the menu. The first time the end user visits the page, they will be presented with an opportunity to enter a password to generate certificates. Once the certificates have been generated, the end user can download and install the certificates.
More information is available on the User Certificates page in the User Guide.