[Kolab-devel] server/doc/administration intro.sgml,1.2,1.3 by martin at doto.intevation.de

root at intevation.de root at intevation.de
Thu Jun 12 12:42:19 CEST 2003 

Update of /kolabrepository/server/doc/administration
In directory doto:/tmp/cvs-serv13743/administration

Modified Files:
	intro.sgml 
Log Message:
Added extra docu with regards how to make a certificate request


Index: intro.sgml
===================================================================
RCS file: /kolabrepository/server/doc/administration/intro.sgml,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -d -r1.2 -r1.3
--- intro.sgml	9 Jun 2003 15:43:40 -0000	1.2
+++ intro.sgml	12 Jun 2003 10:42:16 -0000	1.3
@@ -89,4 +89,59 @@
 <inlinegraphic entityref="kolab-structure" fileref="kolab-structure" scale="70"></inlinegraphic>
 </para>
 
+<para>
+When installing the kolab server the first time a self signed cryptograpic
+certificate is created. For production purposes we strongly recommend to get a
+proper certificate signed by an authority (CA) which is accepted by the client
+software. This can either be an internal CA or a commercial CA provider. 
+</para>
+
+<para>
+To create a certificate, you need to start with a certificate 
+request (or, as some certificate authorities like to put 
+it, "certificate signing request", since that's exactly what they do, 
+they sign it and give you the result back, thus making it authentic 
+according to their policies).  A certificate request can then be sent 
+to a certificate authority to get it signed into a certificate, or if 
+you have your own certificate authority 
+</para>
+
+<para>The certificate request is created like this:</para>
+
+<filename>/kolab/bin/openssl req -new -key privkey.pem -out cert.csr</filename> 
+
+<para>
+Now, cert.csr can be sent to the certificate authority, if they can 
+handle files in PEM format.  If not, use the extra argument 
+<filename>-outform</filename> followed by the keyword for the format to use 
+When the certificate authority has then done the checks the need 
+to do (and probably gotten payment from you), they will hand over 
+your new certificate to you. 
+</para>
+
+<para>
+If the certificate authority was kind enough, your certificate is a raw 
+DER thing in PEM format. However, some certificate authorities will 
+encode them with things like PKCS7 or PKCS12, or something 
+else. In this case you have to convert it like described in the 
+openssl documentation or better ask the certificate authority to 
+provide the key in PEM format. Please have a look dumpcert  
+which might be of some help. 
+</para>
+
+<para>
+Concatenate the certificate and the key into a new file and using 
+that one should be enough. 
+</para>
+
+<para>
+We did not test this procedure within the kroupware project 
+though.
+</para>
+
+<para>
+Further details can be obtained from
+<filename>http://www.openssl.org</filename>
+</para>
+
 </chapter>

More information about the devel mailing list