Table of Contents

How to install a certificate signed by a recognized Certificate Authority.

The Citadel system offers SSL/TLS encryption on every protocol it serves. When you initially install the system, a private key and self-signed certificate are automatically generated for you. However, you may wish to purchase a certificate signed by a recognized certificate authority. Alternatively, you may wish to have a certificate that is self-signed, but has the correct Distinguished Name (DN). If you wish to do either of these things, here are the required steps.

erase, or set aside, the existing key

The keys directory contains three files:

citadel.keythe private key
citadel.csrthe certificate signing request
citadel.certhe signed or self-signed certificate

Delete these files, or move them to another directory.

generate a private key

While inside the keys directory, run the following command:

openssl genrsa -out citadel.key 1024  

Generate a Certificate Signing Request based on that key

Run the following command:

openssl req -new -key citadel.key -out citadel.csr  

Answer all of the prompts accurately. Observe all of the rules followed by your certificate authority for the distinguished name (DN) of your certificate. For example, the Common Name (CN) must be equivalent to the fully qualified domain name of your server. If you live in the United States, you must also use the full name of the state that you live in, rather than its abbreviation.

Now you can order your certificate. When your certificate authority requests your certificate signing request, you simply paste in the contents of citadel.csr to send it to them.

Generate a self-signed certificate (if needed for temporary use)

Simply restarting the Citadel server at this point will automatically generate a self-signed certificate using your new key and CSR. Or, you can do it explicitly with this command:

openssl x509 -req -days 365 -in citadel.csr -signkey citadel.key -out citadel.cer  

Install the signed certificate

When you receive your signed certificate from the certificate authority, simply delete the citadel.cer file containing your self-signed certificate, and save your signed certificate as citadel.cer in its place. Restart the Citadel server, and you are finished.

Using the key and certificate with WebCit

WebCit contains an identical cryptography subsystem, also with a keys directory of its own. The only difference is that the three files are called webcit.key, webcit.csr, and webcit.cer instead of citadel.key, citadel.csr, and citadel.cer. The good news is that you can copy or symlink those three files from the citadel/keys directory over to the webcit/keys directory, then restart WebCit, and your new certificate will be used for HTTPS connections as well.

Problems with Citadels autogenerated Certificates

Citadel making it easy for you

Citadel brings a non interactive way to equip you with basic SSL Certificates, so you can get SSL/HTTPS up and running without any fiddling with openssls commandline tools, howtos reading and so forth.

Drawback under certain conditions

So your Client (be it the Webbrowser or the Emailclient) complains about the Servercertificate like this:

You have received an invalid certificate. 
Please contact the server administrator or 
email correspondent and give them the following information:

Your certificate contains the same serial number as another 
certificate issued by the certificate authority. 
Please get a new certificate containing a unique serial number.

(Error code: sec_error_reused_issuer_and_serial)

This may happen if you run more than one citadel with self created certificates.

What happened?

Citadels first time setup is designed to ask you as few questions as possible. So some “Questions” kept away from you have to be answered with default values; like the CN field for a self created Certificate Authority (CA). Now your Client is the opinion, that one CA mustn't exist twice (which is right) and barfs on you with the above error message.

So if you installed a “test” installation to find out about citadel, and now did the to be “life” installation, you'll be faced with that error.

If you don't want to replace certificates with ones from a real CA, the easiest way to work around it is WebCits feature to overload the values with yours; remove the defective certificates, and fill these environment Variables:

export O="Your Organization name"
export OU="Your Citadel Server"
export CN="*"

and restart Webcit in that shell. You can use the created certificates for CitServer too.

... where to find the certificate files

GoDaddy Certificates

By the users joy & blasto333

in citservers key directory

  1. openssl genrsa -out citadel.key 2048
  2. openssl req -new -key citadel.key -out citadel.csr
  3. in godaddy provide citadel.csr to generate ssl certifcate extension crt
  4. godaddy will send you a zip contaning 2 files extract the files
    1. One of the files is named “yourdomain” and it comes in crt format … rename the file to citadel.cer
    2. The other file is a godaddy chain in crt format… just remane the extension of this one to cer
  5. copy the 2 files to the citservers key directory