https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275986#M229116 <HTML><HEAD></HEAD><BODY><SPAN>In order to provide our staff with a consistent experience with each of the servers we run, I'm replacing self-signed certificates with those issued by our Zentyal server, which is acting as the CA. I haven't found entries in either this forum or Zentyal's that deal with this particular topic thoroughly. What I have done so far is to work (unsuccessfully) through the instructions in the following locations, which seem to be similar:</SPAN><BR /><BR /><UL><LI>/opt/alfresco-4.2.c/alf_data/keystore/CreateSSLKeystores.txt</LI><LI><A href="http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fgenerate-repo-ssl-keystore.html" rel="nofollow noopener noreferrer">http://docs.alfresco.com/4.2/index.jsp?topic=%2Fcom.alfresco.enterprise.doc%2Ftasks%2Fgenerate-repo-ssl-keystore.html</A></LI><LI><A href="https://wiki.alfresco.com/wiki/Alfresco_And_SOLR#Manually_Generating_New_SSL_Keys_Signed_by_a_Certificate_Authority" rel="nofollow noopener noreferrer">https://wiki.alfresco.com/wiki/Alfresco_And_SOLR#Manually_Generating_New_SSL_Keys_Signed_by_a_Certificate_Authority</A></LI></UL><SPAN>My </SPAN><SPAN style="text-decoration: underline;">first</SPAN><SPAN> question is this: Am I even starting in the right place with the right instructions?</SPAN><BR /><BR /><SPAN>With respect to these instructions, I noticed that there are a few aliases used for the certificates in the keystores, e.g. ssl.repo, ssl.alfresco.ca, and alfresco.ca. These aliases are referred to in each of the </SPAN><EM>*-passwords.properties</EM><SPAN> files.</SPAN><BR /><BR /><SPAN>My </SPAN><SPAN style="text-decoration: underline;">second</SPAN><SPAN> question is: Does it matter how these aliases are named? That is, are there any important references to them apart from the link between each keystore and its corresponding password properties file?</SPAN><BR /><BR /><SPAN>When the Zentyal Certification Authority is activated and configured, it creates these files:</SPAN><BR /><BR /><UL><LI>ca-cert.pem</LI><LI>ca-public-key.pem</LI></UL><SPAN>And when it creates a new certificate, it generates these files:</SPAN><BR /><BR /><UL><LI>Alfresco-cert.pem</LI><LI>Alfresco.p12</LI><LI>Alfresco-private-key.pem</LI><LI>Alfresco-public-key.pem</LI></UL><SPAN>When working through the instructions above, I have tried to do so both with and without the existing keystores. After failures, I have run the </SPAN><EM>generate_keystores.sh</EM><SPAN> script. Nothing seems broken, and I see no errors in the logs after restarting the server.</SPAN><BR /><BR /><SPAN>My </SPAN><SPAN style="text-decoration: underline;">third</SPAN><SPAN> question is: If I </SPAN><SPAN style="text-decoration: underline;">should</SPAN><SPAN> be using the above instructions, should I create new keystores and then simply replace the old ones?</SPAN><BR /><BR /><SPAN>In the instruction at the Alfresco Wiki link above, I noticed the following:</SPAN><BR /><BR /><BLOCKQUOTE class="jive-quote">Note<BR />&nbsp;&nbsp;&nbsp; if using Tomcat, the values for the above prompts must match those defined in the tomcat-users.xml file for the following entry: <BR />&lt;user username="CN=Alfresco Repository, OU=Unknown, O=Alfresco Software Ltd., L=Maidenhead, ST=UK, C=GB" roles="repository" password="null"/&gt;</BLOCKQUOTE><BR /><SPAN>My </SPAN><SPAN style="text-decoration: underline;">fourth</SPAN><SPAN> question is: If I am following the instruction correctly, do I understand rightly that I need to modify this line to fit the values in the Zentyal-issued certificate?</SPAN><BR /><BR /><SPAN>Before I report the errors I experience, I would like to know the answers to these questions. It probably doesn't help to copy in error codes if I'm on the wrong track anyway.</SPAN><BR /><BR /><SPAN>My thanks to each of you who take the time to read this, and many more to those who respond.</SPAN></BODY></HTML> Thu, 07 Feb 2013 13:49:21 GMT dfliddle 2013-02-07T13:49:21Z https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275986#M229116 In order to provide our staff with a consistent experience with each of the servers we run, I'm replacing self-signed certificates with those issued by our Zentyal server, which is acting as the CA. I haven't found entries in either this forum or Zentyal's that deal with this particular topic thorou Thu, 07 Feb 2013 13:49:21 GMT https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275986#M229116 dfliddle 2013-02-07T13:49:21Z https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275987#M229117 <HTML><HEAD></HEAD><BODY><SPAN>Hi David,</SPAN><BR /><BR /><SPAN>I would recommend not to go this way. Instead you should configure an apache in front of tomcat. This is best practice for all our installations and much, much more easy to handle. As a side effect you can harden Alfresco, create redirects and open just the URLs and requests using apache config. Tomcat should be configured to talk only to apache and SOLR.</SPAN><BR /><SPAN>Anyway you should create new certificates to prevent that everyone can read your content with the default certs who has access to tomcat. For this Alfresco allready provides scripts not to make any mistakes.</SPAN><BR /><SPAN>Of course you can use commercial certs for the tomcat ssl connector but as long you don't understand the complexity in alfresco/SOLR communication and if you're not very familiar with openssl and keystore mechanisms you shouldn't touch this. Otherwise it is very likely that at least your SOLR search will not work any more. So don't go the trappy way if there is an easy and robust one.</SPAN></BODY></HTML> Thu, 07 Feb 2013 15:55:23 GMT https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275987#M229117 heiko_robert 2013-02-07T15:55:23Z https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275988#M229118 <HTML><HEAD></HEAD><BODY><SPAN>Thank you for the reply, Heiko. I have seen many such recommendations for the Apache reverse proxy server, and using this technique could help simplify other services that we run. Do you know if it can handle the Alfresco IMAP component also? I have read of others attempting IMAP funneling with that and Nginx, but it's not always easy to tell how successful or satisfied they were.</SPAN></BODY></HTML> Wed, 13 Feb 2013 13:58:18 GMT https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275988#M229118 dfliddle 2013-02-13T13:58:18Z