eFront hosted by Epignosis
There are three major cases when setting up an SSL certificate for your system, depending on your requirements. These are:
- Having a single domain name without any branches. e.g: efront.example.com
- Having a few specific domain names for branches. e.g: alpha.efront.example.com, beta.efront.example.com, gamma.efront.example.com
- Having any number of domain names. e.g: *.efront.example.com
For the first case, you may either issue a certificate at your own expense at some commercial provider or eFront support team may issue a let’s encrypt certificate for you, which is also the default action for new eFront customers.
Regarding the second and third case, you necessarily need to issue a certificate at your own expense to whatever provider (Certificate Authority, CA) you prefer.
In any case, if you need to issue a certificate in some commercial provider you will need an CSR file to do so. Contact our support team to send you the necessary CSR file but in order for eFront support team to produce such a file, the following information is required.
- Domain names (e.g: efront.example.com or *.efront.example.com)
- Organization name
- Organizational unit (optional)
- City
- State or Province
- Country
So, please include the above information in your request towards our support team.
Once you have done so, we will be able to send you the CSR file, so you may proceed with issuing your certificate.
eFront hosted on your server
If you host eFront on your own server, then there are two major ways to set up an SSL certificate. Those are:
- Producing an SSL certificate with a CSR file
- Producing an SSL certificate with a PFX file
Note!: The following commands require advanced permissions so it will be useful if you would perform the following process as a superuser. (on a linux based command line type
sudo -s
SSL certificate with a CSR file
The steps you need to take in order to produce an SSL certificate with a CSR file are the following:
- From the command line type the following command
openssl req -new -newkey rsa:2048 -nodes -keyout <sitename>.key -out <sitename>.csr
During this step, you will be asked to provide information such as Country, State or Province etc. The result of the above command is a private key .key file, which will be used in the next step - Use the .csr produced by the previous steps to issue your certificate with the CA provider of your choice. Once your provider completes the process you will get back two files (a certificate and a chain file).
- Create a new directory in your file system to store the certificate files.
mkdir /var/www/vhosts/certs
Notice!!! You may use some other path for the above directory.
- Move the .key file produced in step 1 to the directory certs
mv <sitename>.key /var/www/vhosts/certs
- Move the certificate and chain files (from step 2) to the folder certs
mv <sitename>.crt /var/www/vhosts/certs
mv <sitename>_ca.crt /var/www/vhosts/certs
- Change the permissions of the certs directory and its files as following
chmod -R 400 /var/www/vhosts/certs
- Change the ownership of the certs directory and its files as following
chown -R root:root /var/www/vhosts/certs
- Install mod_ssl for your Apache server
yum install mod_ssl
- Modify your vhosts file as following
<VirtualHost <ip_address>:443>
ServerName <sitename>
DocumentRoot "/var/www/vhosts/<efront-directory>/"
SSLEngine on
SSLProtocol -ALL -SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
SSLCertificateFile /var/www/vhosts/certs/<sitename>.crt
SSLCertificateKeyFile /var/www/vhosts/certs/<sitename>.key
SSLCertificateChainFile /var/www/vhosts/certs/<sitename>_ca.crt
<Directory "/var/www/vhosts/<efront-directory>/">
AllowOverride All
</Directory>
</VirtualHost> - If you would like your domain name to only support https access add the following lines to your hosts file
<VirtualHost <ip_address>:80>
ServerName <sitename>
DocumentRoot "/var/www/vhosts/<efront-directory>/"
<Directory "/var/www/vhosts/<efront-directory>/">
AllowOverride All
</Directory>
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost> - Modify your firewall settings (/root/myfirewall) to allow incoming connections to port 443
- After modifying your firewall settings do not forget to "run" your firewall settings again
./myfirewall
- Make sure the the file /etc/httpd/conf/httpd.conf contains the following line, and if not add it
NameVirtualHost *:443
- Edit the file /etc/sysconfig/httpd and add the following line
export OPENSSL_NO_DEFAULT_ZLIB=1
- Restart your apache server|
SSL certificate with a PFX file
The steps you need to take in order to produce an SSL certificate with a PFX file are the following:
- Create a new directory in your file system to store the certificate files.
mkdir /var/www/vhosts/certs
Notice!!! You may use some other path for the above directory. - Run the following command
openssl pkcs12 -in <sitename>.pfx -clcerts -nokeys -out <sitename>.crt
- Run the following command
openssl pkcs12 -in <sitename>.pfx -nocerts -nodes -out <sitename>.key
- Run the following command
openssl pkcs12 -in <sitename>.pfx -out <sitename>-ca.crt -nodes -nokeys -cacerts
Notice!!! If this step produces an empty file do not include it in your .conf file - Continue with the process described in the section "SSL certificate with a CSR file" starting from step 6