Action disabled: register
content:en_us:kb_webconfig_certificate

Custom Certificate for Webconfig

If you would like to use a custom or purchased certificate instead of the default, self-signed one included with ClearOS, you can do so using this guide. This will make it so that you do not have a certificate error when accessing Webconfig.

The default certificates are included with Webconfig because it is free to add this form of encryption. Once you have a certificate key pair (and appropriate chains) from a trusted Certificate Authority (CA) then you can install these keys in such a manner that not only the website hosted on this server is trusted but also that the Webconfig interface is as well.

This guide applies to ClearOS 7 specifically but the tools are also useful for ClearOS 6.

Preparation

For your certificate to function properly, you will need to use DNS names instead of IP addresses when you modify Webconfig. This is because part of the process for secure websites is to match the name on the certificate with the name listed in the URL. This must be a DNS name. Make sure that you can get to your server's web interface by use a valid hostname contained on the certificate before installing and configuring Webconfig or you will get a name mismatch error.

Certificate Name Mismatch

Install the Certificate Material

In the current version of ClearOS, you can add certificates using the Certificate Manager. In this demonstration, I named them 'ClearOS' in my Webconfig interface.

Custom Certificate

Finding the Path

Once installed, these become available to your websites within ClearOS but not yet to Webconfig as of the time of this writing. Add the certificates there and they will appear in:

/etc/clearos/certificate_manager.d/

To see them run the following:

ls /etc/clearos/certificate_manager.d/

Modifying the Files

You will need to modify two files and add the following to both (substituting the name 'ClearOS' for the name on your certificates):

Code

SSLCertificateFile /etc/clearos/certificate_manager.d/ClearOS.crt
SSLCertificateKeyFile /etc/clearos/certificate_manager.d/ClearOS.key
SSLCertificateChainFile /etc/clearos/certificate_manager.d/ClearOS.intermediate
SSLCACertificateFile /etc/clearos/certificate_manager.d/ClearOS.ca

/usr/clearos/sandbox/etc/httpd/conf.d/framework.conf

Remove the following lines in the '<VirtualHost _default_:81>' section:

SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/server.crt
SSLCertificateKeyFile /usr/clearos/sandbox/etc/httpd/conf/server.key

Add the lines from the 'Code' section above instead.

Remove the following lines in the '<VirtualHost _default_:83>' section:

SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/server.crt
SSLCertificateKeyFile /usr/clearos/sandbox/etc/httpd/conf/server.key

Add the lines from the 'Code' section above instead.

/usr/clearos/sandbox/etc/httpd/conf.d/ssl.conf

Remove or comment out the following lines and replace them with the lines above in the 'Code' section

SSLCertificateFile /usr/clearos/sandbox/etc/httpd/conf/server.crt
SSLCertificateKeyFile /usr/clearos/sandbox/etc/httpd/conf/server.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Restarting Webconfig and Testing

content/en_us/kb_webconfig_certificate.txt · Last modified: 2016/12/06 22:16 by dloper