Update Default Certificates to ClearOS Certificate Authority
By default, ClearOS will use a simple certificate for the the default web server and also for the Webconfig interface. This is a non-complex certificate that is designed for compatibility with older machines. It is self-signed which means that getting your browser to give you give you the secure page without a notice that the certificate has errors is a post-install process. This guide should be considered a post-install best practices guide and should be followed after each install in order to tighten your server's default configuration.
The reason why this process cannot be automated is that there are some steps required that involve 3rd party and offsite systems. This howto will cover those steps.
Getting the DNS in order
In order for a certificate to work properly, we need to set scope out and set up the DNS that we will be using on our certificate. This is an important step because when we craft the certificate and when we use the browser part of the validation checks of the browser is to match the domain used on the certificate. This means that even when we have completed the process that if you use the IP address for the server instead of the DNS name, you are STILL going to get a certificate error. For example, ping google from your command line:
DAVIDs-MBP-5:~ dloper$ ping -c 1 google.com
PING google.com (220.127.116.11): 56 data bytes
64 bytes from 18.104.22.168: icmp_seq=0 ttl=58 time=4.045 ms
--- google.com ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 4.045/4.045/4.045/0.000 ms
Then take whatever number you get and put it after 'https:'. I got 22.214.171.124 so I would go to 126.96.36.199
So even though Google has all their ducks in a row, I simply cannot use an IP address with a secure site and not have my browser complain. Nobody can.
This is why selecting the DNS name you will use with the box for purposes of management is vital. This is also why the self-signed certificate will not typically work for you since its common name is 'gateway.clearos.com' or something similar. We are going to change all that here. Moreover, it wasn't signed with a certificate authority that can be made to be trusted so even if you did specify a matching name, it would still give you problems.
The hostname that you use with ClearOS needs to be able to resolve when you are inside your network and outside your network. If ClearOS is your gateway, you will likely resolve the outside address to the public IP of ClearOS. If, however, your ClearOS server is behind another firewall, you will need to make sure that you employ some internal DNS resolution that will override the name resolution on the inside of the network so that the outside address is not supplied. If you are using ClearOS as a DNS cache for all your internal DNS resolution, you can simply add the hostname and the ip address to the DNS Server.