How to install a certificate signed by a recognized Certificate Authority.
The Citadel system offers SSL/TLS encryption on every protocol it serves. When you initially install the system, a private key and self-signed certificate are automatically generated for you. However, you may wish to purchase a certificate signed by a recognized certificate authority. Alternatively, you may wish to have a certificate that is self-signed, but has the correct Distinguished Name (DN). If you wish to do either of these things, here are the required steps.
erase, or set aside, the existing key
The keys directory contains three files:
| File | Content |
|---|---|
| citadel.key | the private key |
| citadel.csr | the certificate signing request |
| citadel.cer | the signed or self-signed certificate |
Delete these files, or move them to another directory.
generate a private key
While inside the keys directory, run the following command:
openssl genrsa -out citadel.key 1024
Generate a Certificate Signing Request based on that key
Run the following command:
openssl req -new -key citadel.key -out citadel.csr
Answer all of the prompts accurately. Observe all of the rules followed by your certificate authority for the distinguished name (DN) of your certificate. For example, the Common Name (CN) must be equivalent to the fully qualified domain name of your server. If you live in the United States, you must also use the full name of the state that you live in, rather than its abbreviation.
Now you can order your certificate. When your certificate authority requests your certificate signing request, you simply paste in the contents of citadel.csr to send it to them.
Generate a self-signed certificate (if needed for temporary use)
Simply restarting the Citadel server at this point will automatically generate a self-signed certificate using your new key and CSR. Or, you can do it explicitly with this command:
openssl x509 -req -days 365 -in citadel.csr -signkey citadel.key -out citadel.cer
Install the signed certificate
When you receive your signed certificate from the certificate authority, simply delete the citadel.cer file containing your self-signed certificate, and save your signed certificate as citadel.cer in its place. Restart the Citadel server, and you are finished.
Using the key and certificate with WebCit
WebCit contains an identical cryptography subsystem, also with a keys directory of its own. The only difference is that the three files are called webcit.key, webcit.csr, and webcit.cer instead of citadel.key, citadel.csr, and citadel.cer. The good news is that you can copy or symlink those three files from the citadel/keys directory over to the webcit/keys directory, then restart WebCit, and your new certificate will be used for HTTPS connections as well.
Problems with Citadels autogenerated Certificates
Citadel making it easy for you
Citadel brings a non interactive way to equip you with basic SSL Certificates, so you can get SSL/HTTPS up and running without any fiddling with openssls commandline tools, howtos reading and so forth.
Drawback under certain conditions
So your Client (be it the Webbrowser or the Emailclient) complains about the Servercertificate like this:
You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)
This may happen if you run more than one citadel with self created certificates.
What happened?
Citadels first time setup is designed to ask you as few questions as possible. So some “Questions” kept away from you have to be answered with default values; like the CN field for a self created Certificate Authority (CA). Now your Client is the opinion, that one CA mustn't exist twice (which is right) and barfs on you with the above error message.
So if you installed a “test” installation to find out about citadel, and now did the to be “life” installation, you'll be faced with that error.
If you don't want to replace certificates with ones from a real CA, the easiest way to work around it is WebCits feature to overload the values with yours; remove the defective certificates, and fill these environment Variables:
export O="Your Organization name" export OU="Your Citadel Server" export CN="*"
and restart Webcit in that shell. You can use the created certificates for CitServer too.
GoDaddy Certificates
By the users joy & blasto333
- openssl genrsa -out citadel.key 2048
- openssl req -new -key citadel.key -out citadel.csr
- in godaddy provide citadel.csr to generate ssl certifcate extension crt
- godaddy will send you a zip contaning 2 files extract the files
- One of the files is named “yourdomain” and it comes in crt format … rename the file to citadel.cer
- The other file is a godaddy chain in crt format… just remane the extension of this one to cer
- copy the 2 files to the citservers key directory
- copy all the files in citservers key directory to webcits key directory