The Citadel system offers SSL/TLS encryption on every protocol it serves. When you initially install the system, a private key and self-signed certificate are automatically generated for you. However, you may wish to purchase a certificate signed by a recognized certificate authority. Alternatively, you may wish to have a certificate that is self-signed, but has the correct Distinguished Name (DN). If you wish to do either of these things, here are the required steps.
The keys/ directory contains three files:
Delete these files, or move them to another directory.
While inside the keys/ directory, run the following command:
openssl genrsa -out citadel.key 2048
Run the following command:
openssl req -new -key citadel.key -out citadel.csr
Answer all of the prompts accurately. Observe all of the rules followed by your certificate authority for the distinguished name (DN) of your certificate. For example, the Common Name (CN) must be equivalent to the fully qualified domain name of your server. If you live in the United States, you must also use the full name of the state that you live in, rather than its abbreviation.
Now you can order your certificate. When your certificate authority requests your certificate signing request, you simply paste in the contents of citadel.csr to send to them.
Simply restarting the Citadel server at this point will automatically generate a self-signed certificate using your new key and CSR. Or, you can do it explicitly with this command:
openssl x509 -req -days 365 -in citadel.csr -signkey citadel.key -out citadel.cer
When you receive your signed certificate from the certificate authority, simply delete the citadel.cer file containing your self-signed certificate, and save your signed certificate as citadel.cer in its place. Restart the Citadel server, and you are finished.
WebCit contains an identical cryptography subsystem, also with a keys directory of its own. The only difference is that the three files are called webcit.key, webcit.csr, and webcit.cer instead of citadel.key, citadel.csr, and citadel.cer. The good news is that you can copy or symlink those three files from the citadel/keys directory over to the webcit/keys directory, then restart WebCit, and your new certificate will be used for HTTPS connections as well.
Citadel brings a non interactive way to equip you with basic SSL Certificates, so you can get SSL/HTTPS up and running without any fiddling with OpenSSL's command line tools, reading howto-documents, and so forth.
Your client software (web browser, email reader, etc.) complains about the server certificate with a message such as this one:
You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial)
This may happen if you run more than one citadel with self created certificates.
Citadel's first time setup is designed to ask as few questions as possible, so it sets up a very generic self-signed certificate. If you are receiving error messages, your client software understands that this certificate isn't quite authentic, and generates the above error message.
So if, for example, you installed Citadel several times (such as in test and production) your client software will see the same serial number twice and produces an error.
If you are not ready to replace the test certificate with one from a real Certificate Authority, the easiest workaround is to generate a new certificate using the procedure shown above.