User Login      + Register  

Table_of_Contents

1    Domain SSL Certificates

1.1                Types of SSL Certificates

1.2                Free LetsEncrypt Certificates

1.2.1      Manual Certificate Method

1.2.2      Automatic Certificate Method

1.3                Alternative Free SSL Certificates

1.4                Commercial SSL Certificates

List of Figures

Figure 1:       Domain Certificates Administration

Figure 2:       Domain Certificate Entry

1    Domain SSL Certificates

Domain SSL certificates are used for site identity and encryption, so site visitors and service users can be certain the site is genuine and communications are secure.

Certificates must be created for www.yourdomain and yourdomain (both in same certificate file). This handles the case of when your website is addressed as www.yourdomain or yourdomain. In general, domain names in certificates must exactly match the URL used to address the site. Otherwise, clients will consider your site insecure and either refuse to connect or ask for a security exception.

1.1                Types of SSL Certificates

There are three types of SSL certificates, differentiated by degree of trust checking that the certificate issuer has performed. GlobalSign provides an overview of SSL certificate types.

  • Domain Validation (DV): It has been proven that the domain(s) exist and are controlled by whoever requested the certificate. Users can be assured that communication with the site is secure. Visitors CANNOT be assured that any personal or business identity information on the site is accurate.
  • Organization Validation(OV): SSL Certificates: where the CA checks the right of the applicant to use a specific domain name PLUS it conducts some verification of the organization. Additional organizational information is displayed to clients when clicking on the Secure Site Seal, giving enhanced visibility of who controls the site and associated enhanced trust.
  • Extended Validation(EV): SSL Certificates: where the Certificate Authority (CA) checks the right of the applicant to use a specific domain name PLUS it conducts a THOROUGH verification of the organization. The issuance process of EV SSL Certificates is strictly defined in the EV Guidelines, as formally ratified by the CA/Browser forum in 2007, that specify all the steps required for a CA before issuing a certificate.

The type of SSL certificate required depends on the degree of trust you wish your clients to have. If your site is an e-commerce site and you collect sensitive information, personal data such passwords and credit card numbers, an Extended Validation (EV) certificate is required. This requirement can be omitted if you use a third party payment processor (with EV certificates) such as PayPal, Visa or Mastercard.

Free SSL certificates provide Domain Validation (DV) and only assure site clients that their communications are secure. They are adequate for all sites, including ecommerce, if a third party payment processor is used.

1.2                Free LetsEncrypt Certificates

LetsEncrypt is a free, automated and open certificate authority supported by many leading internet companies concerned regarding the negative effects of high cost and complexity of commercial SLL certificates. They have done an excellent job, to the dismay of high cost commercial SSL certificate providers.

1.2.1      Manual Certificate Method

LetsEncrypt certificates are valid for three months. You will have to repeat this step every three months.

If your domain is a subdomain of a DDNS provider and your DDNS provider is not on the "Public Suffix List", you may have to create your SSL certificates manually. Further information regarding the "Public Suffix List" and why DDNS providers need to be and how to get on the "list" is available here. Automatic creation / updates of LetsEncrypt SSL certificates may fail due to "rate limiting" for domains from DDNS providers not on the "list". The options are to choose a DDNS provider from the list or be prepared for rate limiting failures and retries (until success) using automatic certificate updates.

SSL For Free has a very easy to use webpage for creating LetsEncrypt SSL certificates. Go to their site, click "Advanced Options" for instructions regarding how to enter multiple domains. Use the following steps:

  • Enter https://www.yourdomain https://yourdomain in the address bar.
  • Press "Create Free SSL Certificate"
  • You will be presented with three creation options. Choose "Manual Verification" unless you understand how to use and prefer the alternative methods.
  • Press "Manually Verify Domain" and follow the instructions.
  • Press "Download Certificates".
  • Optional: Create an account to manage certificates and be notified when certificates expire.
  • You can choose to copy and paste your certificates or, download them. SecureOffice requires certificates to be in directory "/etc/ssl/domains".
  • It is suggested to name the certificates "domain.cer" and "domain.key". Alternatively, in directory "/etc/ssl/domains", Link the certificate files to "domain.cer" and "domain.key". Elements of SecureOffice such as nginx and SecurePBX depend on files (or linked files) "/etc/ssl/domains/domain.cer" and "/etc/ssl/domains/domain.key".
  • The LetsEncrypt certificate authority (CA) file is pre-installed on SecureOffice from package "ca-certificates".

1.2.2      Automatic Certificate Method

This method works for unique domain names (youtsite.com, etc) and subdomains of DDNS providers who are on the "Public Suffix List" (described in previous section). Using this method, certificates are created and updated automatically.

SecureOffice offers a premium application called "luci-app-nginx-certificates" which automatically requests and updates LetsEncrypt certificates. To install it, enter "opkg update; opkg install luci-app-nginx-certificates" at a SecureOffice command prompt.

After installing luci-app-nginx-certificates, using a browser on your LAN, access the SecureOffice / OpenWrt web GUI and navigate to "Services->Domain Certificates". You will see the certificate administration page, as shown below.

Figure 1: Domain Certificates Administration

If "Domain Certificates" does not appear under the "Services" menu, the SecureOffice web server cache must be cleared and restarted. Enter "rm -rf /tmp/luci-*; /etc/init.d/nginx restart" at a command prompt and try again.

Change the email address (Global Configuration) to the email address that you want LetsEncrypt certificate expiry notices to go to. If left blank, LetsEncrypt will not send certificate expiry notices.

Delete the default domain entry by pressing "Delete" (Red button on right under "Certificates").

Enter a descriptive name for your new domain section to the left of the "Add" button. The section name can contain letters, numbers and underscores. It is suggested to use your primary domain with underscores, for example "my_domain_com". Press the "Add" button. A new section named " my_domain_com" will be created.

Note: If creating certificates for SME Server, be aware that SME Server allows specification of only one certificate and one key file. This means that if hosting multiple virtual domains, one certificate must be created for and including all hosted domains.

Fill in the following fields:

  • Domain Name(s): A list of base domain names with no "www", for example "example.com". If using multiple domains, the first domain name entered must be your primary domain, the one used at initial SecureOffice registration. This is the domain entry in /etc/hosts of the form "LAN_Address domain", that was filled in prior to registering (System->Licensing->Registration). Press "+" to add the first domain.
  • Add as many domains as required, pressing "+" after each one. Your certificates will appear in directory "/etc/acme/your_primary_domain/" with names "your_primary_domain.cer" and "your_primary_domain.key". These certificates are linked to "/etc/ssl/domains/domain.crt" and "/etc/ssl/domains/domain.key" respectively. These certificates will be valid for all entered domains.
  • Set the "Key Size" to "2048"
  • Leave the "USE DNS" checkbox and "DNS Credentials" fields blank. These are used for an alternate method of LetsEncrypt domain verification which verifies using your DNS provider as opposed to verifying your site. Not all DNS providers support this. Check the OpenWrt DDNS / acme documentation for further information.
  • Test Checkbox: Leave checked until "Update" succeeds.
  • Auto Update: Leave unchecked until "Update" succeeds meaning you are ready for automatic updates.
  • Press "Save & Apply".

You will see your new domain entries, as shown below.

Figure 2: Domain Certificate Entry

Insure "Test" is selected. Press "Update". A "Command Results" text area will appear, displaying status, any error messages and succeed / fail status. Fix any errors before proceeding (may require internet search).

Uncheck "Test", press "Update" again. Fix any errors before proceeding (may require internet search).

One error to watch out for is "Too Many Certificates Issued" which is an indication you are using a subdomain of a DDNS provider not on the "Public Suffix List", meaning that you should retry (or, allow automatic reties to proceed until success), or an alternate method of acquiring SSL certificates or a LetsEncrypt compatible DDNS provider must be chosen. While you are at it, send a support request to the DDNS provider requesting they get on the "Public Suffix List".

After certificates have been successfully created, check "Auto Update", then "Save & Apply" to have your certificates auto renew and never have to deal with expired SSL certificates and costs again. "Auto Update" schedules a daily task at 11:30 PM which checks for certificate expiry and updates them if necessary.

Certificates can be viewed (and copied) by pressing "Show Certs".

1.3                Alternative Free SSL Certificates

There are many other providers of free SSL certificates which can be found by an internet search. Follow their instructions to acquire certificates.

Be aware that all free SSL provider (except for LetsEncrypt) SSL certificates require manual renewal and expire quickly, with a maximum validity of three months.

Do not use free certificates from WoSign or StartCom, they have lost trust by major browser manufacturers and will not work except for older browsers.

It is also possible to use free self-signed SSL certificates (search internet for instructions) with the disadvantage that the root certificate authority (CA) file must be distributed and installed on all clients (PC's , phones). This may be useful for the truly paranoid, who do not trust third party certificate providers with their decryption keys and wish to form a private network of trust.

1.4                Commercial SSL Certificates

There are many providers of commercial (paid) SSL certificates which can be found by an internet search. Follow their instructions to acquire certificates.

Technologies Used:

Design by: XOOPS UI/UX Team