Blogs
Product Talk
Ivan Chalif Senior Product Manager
Recently in FAQ Category
February 14, 2008
Creating Self-Signed Certificates in StrongMail
For most of our customers, email is a mission critical component of their business. Along with that status comes the need for security. StrongMail is designed with security in mind, utilizing the HTTPS protocol for accessing the system.
However, utilizing HTTPS requires that users install 3rd party SSL certificates from a Certificate Authority (CA) to validate the secure installation. The use of HTTPS and SSL certificates enables the system to negotiate a stateful connection. This process insures that the originating system is who it says it is and creates a secure connection between the server and user's browser.
SSL certificates are not free and if an organization feels that their StrongMail system has been implemented with sufficient security through architecture and procedures, they may opt not to purchase an SSL certificate from a CA.
In this case, users will be presented with warnings (see example below) from their browser that the certificate is either missing or does not match the system that they are attempting to connect to. Most users find these SSL warnings to be a nuisance. There is also the possibility that some users may be confused by the warnings, which can generate unnecessary Help Desk calls.
There is no harm in using the default certificates, but many users complain about them. Additionally, some browsers make it difficult to navigate to a site with a questionable certificate. Your IT team may want to replace the default certificate with their own, to provide a more comfortable security experience to their users.
The following procedures should be used for creating and installing a self-signed certificate for the StrongMail UI, and importing that certificate into Internet Explorer 7 to eliminate the certificate errors.
1.) Login to your StrongMail Server as root, change directory to /tmp
$ cd /tmp
======= Generating the SSL Certificate =======
2. Create a private key:
$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
Create a Certificate Signing Request (CSR). You will be prompted to input information for key generation. The Common Name you use must match the hostname you use to connect to the StrongMail UI
******
This example has generic information, you will need to replace with your own site specific details.
******
$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:State
Locality Name (eg, city) [Newbury]:City
Organization Name (eg, company) [My Company Ltd]:Business Inc.
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server's hostname) []:hostname.domain.com
Email Address []:userid@domain.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
******
NOTE: This is an example from one of the StrongMail Inc, test systems.
******
$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Redwood Shores
Organization Name (eg, company) [My Company Ltd]:StrongMail Systems Inc.
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server's hostname) []:sup5.strongmailsystems.com
Email Address []:support@strongmailsystems.com
3.) Make a copy of your private key before you remove the pass phrase:
$ cp server.key server.key.org
4.) Remove the pass phrase from the private key:
$ openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
5.) Generate the self-signed certificate:
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=State/L=City/O=Business Inc./OU=Support/CN=hostname.domain.com/emailAddress=userid@domain.com
Getting Private key
===== Installing the Self-Signed Certificate into StrongMail =====
6.) Backup the original private key and certificate:
$ cd /data1/strongmail/thirdparty/httpd/conf/ssl/
$ cp server.key server.key.old
$ cp server.crt server.crt.old
7.) Replace the private key and certificate with the files recently created:
$ cp /tmp/server.crt .
cp: overwrite `./server.crt'? y
$ cp /tmp/server.key .
cp: overwrite `./server.key'? y
8.) Restart the StrongMail UI:
$ cd /data1/strongmail/strongmail-ui
$ ./sm-ui stop
$ ./sm-ui start
====== Installing the Certificate into Internet Explorer =======
9.) Launch Internet Explorer
10.) Browse to the StrongMail UI in Internet Explorer 7
11.) Select 'Continue to this website' when you receive the Certificate error. You should see a red Certificate Error to the right of the address bar. Click the Certificate error and select 'View certificates.'
12.) Click 'Install certificate,' then click 'Next' on the Welcome window of the Certificate Import Wizard.
13.) Click 'Next' on Certificate Store, leave the radio button on 'Automatically select...'
14.) Click 'Finish,' you may receive a pop-up to confirm that you wish to import the certificate, if so, click 'Yes'
15.) 'OK' the complete notification, and the Certificate window.
16.) Restart IE, browse to the StrongMail UI, and you should no longer receive the Certificate error.
However, utilizing HTTPS requires that users install 3rd party SSL certificates from a Certificate Authority (CA) to validate the secure installation. The use of HTTPS and SSL certificates enables the system to negotiate a stateful connection. This process insures that the originating system is who it says it is and creates a secure connection between the server and user's browser.
SSL certificates are not free and if an organization feels that their StrongMail system has been implemented with sufficient security through architecture and procedures, they may opt not to purchase an SSL certificate from a CA.
In this case, users will be presented with warnings (see example below) from their browser that the certificate is either missing or does not match the system that they are attempting to connect to. Most users find these SSL warnings to be a nuisance. There is also the possibility that some users may be confused by the warnings, which can generate unnecessary Help Desk calls.
There is no harm in using the default certificates, but many users complain about them. Additionally, some browsers make it difficult to navigate to a site with a questionable certificate. Your IT team may want to replace the default certificate with their own, to provide a more comfortable security experience to their users.The following procedures should be used for creating and installing a self-signed certificate for the StrongMail UI, and importing that certificate into Internet Explorer 7 to eliminate the certificate errors.
1.) Login to your StrongMail Server as root, change directory to /tmp
$ cd /tmp
======= Generating the SSL Certificate =======
2. Create a private key:
$ openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
....++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
Create a Certificate Signing Request (CSR). You will be prompted to input information for key generation. The Common Name you use must match the hostname you use to connect to the StrongMail UI
******
This example has generic information, you will need to replace with your own site specific details.
******
$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:State
Locality Name (eg, city) [Newbury]:City
Organization Name (eg, company) [My Company Ltd]:Business Inc.
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server's hostname) []:hostname.domain.com
Email Address []:userid@domain.com
Please enter the following 'extra' attributes to be sent with your certificate request
A challenge password []:
An optional company name []:
******
NOTE: This is an example from one of the StrongMail Inc, test systems.
******
$ openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:US
State or Province Name (full name) [Berkshire]:California
Locality Name (eg, city) [Newbury]:Redwood Shores
Organization Name (eg, company) [My Company Ltd]:StrongMail Systems Inc.
Organizational Unit Name (eg, section) []:Support
Common Name (eg, your name or your server's hostname) []:sup5.strongmailsystems.com
Email Address []:support@strongmailsystems.com
3.) Make a copy of your private key before you remove the pass phrase:
$ cp server.key server.key.org
4.) Remove the pass phrase from the private key:
$ openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
5.) Generate the self-signed certificate:
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=US/ST=State/L=City/O=Business Inc./OU=Support/CN=hostname.domain.com/emailAddress=userid@domain.com
Getting Private key
===== Installing the Self-Signed Certificate into StrongMail =====
6.) Backup the original private key and certificate:
$ cd /data1/strongmail/thirdparty/httpd/conf/ssl/
$ cp server.key server.key.old
$ cp server.crt server.crt.old
7.) Replace the private key and certificate with the files recently created:
$ cp /tmp/server.crt .
cp: overwrite `./server.crt'? y
$ cp /tmp/server.key .
cp: overwrite `./server.key'? y
8.) Restart the StrongMail UI:
$ cd /data1/strongmail/strongmail-ui
$ ./sm-ui stop
$ ./sm-ui start
====== Installing the Certificate into Internet Explorer =======
9.) Launch Internet Explorer
10.) Browse to the StrongMail UI in Internet Explorer 7
11.) Select 'Continue to this website' when you receive the Certificate error. You should see a red Certificate Error to the right of the address bar. Click the Certificate error and select 'View certificates.'
12.) Click 'Install certificate,' then click 'Next' on the Welcome window of the Certificate Import Wizard.
13.) Click 'Next' on Certificate Store, leave the radio button on 'Automatically select...'
14.) Click 'Finish,' you may receive a pop-up to confirm that you wish to import the certificate, if so, click 'Yes'
15.) 'OK' the complete notification, and the Certificate window.
16.) Restart IE, browse to the StrongMail UI, and you should no longer receive the Certificate error.
Posted by: Ivan Chalif at 9:09 AM
Categories: Application , FAQ , Platform
December 3, 2007
Welcome to Product Talk
Greetings, fellow travelers. You may not know it, but you have embarked on a journey—one that will teach you the inner workings of each of StrongMail's products. Within the pages of this blog, you will learn about the big features and the tiny configuration tweaks. You'll hear how other customers are using StrongMail products to solve common and unique business challenges. Plus, you'll have the opportunity to join the dialog. Join me as we make the journey together.
Not sure if you trust the tour guide? I don't blame you. Let me tell you a bit about myself—
- Senior Product Manager at StrongMail Systems
- 8 years in the email marketing industry
- 11 years in technology marketing
- Founding member of the Silicon Valley Product Management Association (SVPMA.org)
- Aquarius
If that's not enough, I also have StrongMail's world-class Support, Engineering and Professional Services teams to back me up.
I've already got a laundry list of great topics to tell you about, but if there is something specific you would like me to address, feel free to send me a note at ichalif @ strongmail dot com.
Let's get started!