eFront hosted by Epignosis

There are three major cases when setting up an SSL certificate for your system, depending on your requirements. These are:

• Having a single domain name without any branches. e.g: efront.example.com
• Having a few specific domain names for branches. e.g: alpha.efront.example.com, beta.efront.example.com, gamma.efront.example.com
• Having any number of domain names. e.g: *.efront.example.com

For the first case, you may either issue a certificate at your own expense at some commercial provider or eFront support team may issue a let’s encrypt certificate for you, which is also the default action for new eFront customers.

Regarding the second and third case, you necessarily need to issue a certificate at your own expense to whatever provider (Certificate Authority, CA) you prefer.

In any case, if you need to issue a certificate in some commercial provider you will need an CSR file to do so. Contact our support team to send you the necessary CSR file but in order for eFront support team to produce such a file, the following information is required.

• Domain names (e.g: efront.example.com or *.efront.example.com)
• Email
• Organization name
• Organizational unit (optional)
• City
• State or Province
• Country

So, please include the above information in your request towards our support team.

Once you have done so, we will be able to send you the CSR file, so you may proceed with issuing your certificate.

eFront hosted on your server

If you host eFront on your own server, then there are two major ways to set up an SSL certificate. Those are:

• Producing an SSL certificate with a CSR file
• Producing an SSL certificate with a PFX file

Note!: The following commands require advanced permissions so it will be useful if you would perform the following process as a superuser. (on a linux based command line type

sudo -s

SSL certificate with a CSR file

The steps you need to take in order to produce an SSL certificate with a CSR file are the following:

1. From the command line type the following command
   

   openssl req -new -newkey rsa:2048 -nodes -keyout <sitename>.key -out <sitename>.csr

   During this step, you will be asked to provide information such as Country, State or Province etc. The result of the above command is a private key .key file, which will be used in the next step
   
   
2. Use the .csr produced by the previous steps to issue your certificate with the CA provider of your choice. Once your provider completes the process you will get back two files (a certificate and a chain file).
   
   
3. Create a new directory in your file system to store the certificate files.
   

   mkdir /var/www/vhosts/certs

   Notice!!! You may use some other path for the above directory.
    
4. Move the .key file produced in step 1 to the directory certs
   

   mv <sitename>.key /var/www/vhosts/certs

5. Move the certificate and chain files (from step 2) to the folder certs
   

   mv <sitename>.crt /var/www/vhosts/certs
   

   mv <sitename>_ca.crt /var/www/vhosts/certs

6. Change the permissions of the certs directory and its files as following
   

   chmod -R 400 /var/www/vhosts/certs

7. Change the ownership of the certs directory and its files as following
   

   chown -R root:root /var/www/vhosts/certs 

8. Install mod_ssl for your Apache server
   

   yum install mod_ssl

9. Modify your vhosts file as following
   

   <VirtualHost <ip_address>:443>
      ServerName <sitename>
      DocumentRoot "/var/www/vhosts/<efront-directory>/"
   
      SSLEngine on
      SSLProtocol -ALL -SSLv3 +TLSv1
      SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:!MEDIUM:!LOW:!SSLv2:!EXPORT
      SSLCertificateFile /var/www/vhosts/certs/<sitename>.crt
      SSLCertificateKeyFile  /var/www/vhosts/certs/<sitename>.key
      SSLCertificateChainFile /var/www/vhosts/certs/<sitename>_ca.crt
   
      <Directory "/var/www/vhosts/<efront-directory>/">
         AllowOverride All
      </Directory>
   </VirtualHost>

10. If you would like your domain name to only support https access add the following lines to your hosts file
    

    <VirtualHost <ip_address>:80>
       ServerName <sitename>
       DocumentRoot "/var/www/vhosts/<efront-directory>/"
                     
       <Directory "/var/www/vhosts/<efront-directory>/">
          AllowOverride All
       </Directory>
          
       RewriteEngine on
       ReWriteCond %{SERVER_PORT} !^443$
       RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
    </VirtualHost>

11. Modify your firewall settings (/root/myfirewall) to allow incoming connections to port 443
    
12. After modifying your firewall settings do not forget to "run" your firewall settings again
    

    ./myfirewall

13. Make sure the the file /etc/httpd/conf/httpd.conf contains the following line, and if not add it
    

    NameVirtualHost *:443

14. Edit the file /etc/sysconfig/httpd and add the following line
    

    export OPENSSL_NO_DEFAULT_ZLIB=1

15. Restart your apache server|

SSL certificate with a PFX file

The steps you need to take in order to produce an SSL certificate with a PFX file are the following:

1.  Create a new directory in your file system to store the certificate files.
   

   mkdir /var/www/vhosts/certs

   Notice!!! You may use some other path for the above directory.
   
2. Run the following command
   

   openssl pkcs12 -in <sitename>.pfx -clcerts -nokeys -out <sitename>.crt

3. Run the following command
   

   openssl pkcs12 -in <sitename>.pfx -nocerts -nodes  -out <sitename>.key

4. Run the following command
   

   openssl pkcs12 -in <sitename>.pfx -out <sitename>-ca.crt -nodes -nokeys -cacerts
   
   

   Notice!!! If this step produces an empty file do not include it in your .conf file
   
   
5. Continue with the process described in the section "SSL certificate with a CSR file" starting from step 6