Generating SSL certificates

From KnowledgeTree Document Management Made Simple

Instructions taken from forum post by SSchmitt - http://forum.ktdms.com/viewtopic.php?t=1512&start=0

---

This guide shows you how to generate SSL certificates to include with your KnowledgeTree installation. The SSL certificates must be included in the KnowledgeTree installation in order to utilise SSL with your installation.

Step 1:

First, you need to go to the command prompt. In Windows, from the "Start" menu, select "Run", type "cmd" and click "OK". This opens up a black window. Navigate to the apache2/bin directory. You do this by typing: "cd \Program Files\ktdms\apache2\bin"

On a LAMP stack install, the default location is \opt\ktdms\apache2\bin.

Once you've arrived there follow the instructions below as to typing out the commands necessary to go through the steps to generate certificates

On a LAMP stack, be sure to place a copy the openssl.cnf in the \opt\ktdms\apache2\bin directory:

  cp /opt/ktdms/common/openssl/openssl.cnf  /opt/ktdms/apache2/bin/openssl.cnf

I had to change some of the file names, as the KT server setup wouldn't accept them. These changes are reflected below:

 openssl req -config openssl.cnf -new -out server.csr

This creates a certificate signing request and a private key. When asked for "Common Name (eg, your websites domain name)", give the exact domain name of your web server (e.g. www.my-server.dom). The certificate belongs to this server name and browsers complain if the name doesn't match.

Step 2:

 openssl rsa -in privkey.pem -out server.key

This removes the passphrase from the private key. You MUST understand what this means; my-server.key should be only readable by the apache server and the administrator.

You should delete the .rnd file because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key.

Step 3:

 openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 365

This creates a self-signed certificate that you can use until you get a "real" one from a certificate authority. (Which is optional; if you know your users, you can tell them to install the certificate into their browsers.) Note that this certificate expires after one year, you can increase -days 365 if you don't want this.

Step 4:

If you have users with MS Internet Explorer 4.x and want them to be able to install the certificate into their certificate storage (by downloading and opening it), you need to create a DER-encoded version of the certificate:

 openssl x509 -in server.crt -out server.der.crt -outform DER

Step 5:

Create apache2/conf/ssl.crt and a apache2/conf/ssl.key directory and move server.key and server.crt into it.

• Note: On a LAMP stack install, the ssl.crt and ssl.key sub-directories already exist and contain server.crt and server.key, respectively. Simply move these to the directories and overwrite the old ones.

Step 6:

On a LAMP stack install, you must make sure that the mod_ssl is loaded for Apache2. This is located /opt/ktdms/apache2/conf/httpd.conf . Look for the line "#LoadModule ssl_module modules/mod_ssl.so" and delete the # . Be sure to save it.

One additional check for LAMP stack install, if you use a VirtualHost on your server, you need to configure /opt/ktdms/apache2/conf/ssl.conf . Look for the "<VirtualHost _default_:443>" heading. Just below that are "ServerName" and "ServerAdmin". Change these as appropriate for your virtual host name. Don't forget the ":443" after the domain name.