https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275987#M229117 <HTML><HEAD></HEAD><BODY><SPAN>Hi David,</SPAN><BR /><BR /><SPAN>I would recommend not to go this way. Instead you should configure an apache in front of tomcat. This is best practice for all our installations and much, much more easy to handle. As a side effect you can harden Alfresco, create redirects and open just the URLs and requests using apache config. Tomcat should be configured to talk only to apache and SOLR.</SPAN><BR /><SPAN>Anyway you should create new certificates to prevent that everyone can read your content with the default certs who has access to tomcat. For this Alfresco allready provides scripts not to make any mistakes.</SPAN><BR /><SPAN>Of course you can use commercial certs for the tomcat ssl connector but as long you don't understand the complexity in alfresco/SOLR communication and if you're not very familiar with openssl and keystore mechanisms you shouldn't touch this. Otherwise it is very likely that at least your SOLR search will not work any more. So don't go the trappy way if there is an easy and robust one.</SPAN></BODY></HTML> Thu, 07 Feb 2013 15:55:23 GMT heiko_robert 2013-02-07T15:55:23Z https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275986#M229116 In order to provide our staff with a consistent experience with each of the servers we run, I'm replacing self-signed certificates with those issued by our Zentyal server, which is acting as the CA. I haven't found entries in either this forum or Zentyal's that deal with this particular topic thorou Thu, 07 Feb 2013 13:49:21 GMT https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275986#M229116 dfliddle 2013-02-07T13:49:21Z https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275987#M229117 <HTML><HEAD></HEAD><BODY><SPAN>Hi David,</SPAN><BR /><BR /><SPAN>I would recommend not to go this way. Instead you should configure an apache in front of tomcat. This is best practice for all our installations and much, much more easy to handle. As a side effect you can harden Alfresco, create redirects and open just the URLs and requests using apache config. Tomcat should be configured to talk only to apache and SOLR.</SPAN><BR /><SPAN>Anyway you should create new certificates to prevent that everyone can read your content with the default certs who has access to tomcat. For this Alfresco allready provides scripts not to make any mistakes.</SPAN><BR /><SPAN>Of course you can use commercial certs for the tomcat ssl connector but as long you don't understand the complexity in alfresco/SOLR communication and if you're not very familiar with openssl and keystore mechanisms you shouldn't touch this. Otherwise it is very likely that at least your SOLR search will not work any more. So don't go the trappy way if there is an easy and robust one.</SPAN></BODY></HTML> Thu, 07 Feb 2013 15:55:23 GMT https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275987#M229117 heiko_robert 2013-02-07T15:55:23Z https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275988#M229118 <HTML><HEAD></HEAD><BODY><SPAN>Thank you for the reply, Heiko. I have seen many such recommendations for the Apache reverse proxy server, and using this technique could help simplify other services that we run. Do you know if it can handle the Alfresco IMAP component also? I have read of others attempting IMAP funneling with that and Nginx, but it's not always easy to tell how successful or satisfied they were.</SPAN></BODY></HTML> Wed, 13 Feb 2013 13:58:18 GMT https://connect.hyland.com/t5/alfresco-archive/replacing-self-signed-certificates-with-zentyal-generated/m-p/275988#M229118 dfliddle 2013-02-13T13:58:18Z