Chapter 17. S/MIME

At first glance, encryption with S/MIME seems a little more complicated than with PGP. First, you have to establish a Certification Authority (CA) for the OTRS system, following which the procedures are very much like those needed with PGP: configure OTRS, install your own certificate, import other public certificates as needed, etc.

The S/MIME configuration is conducted outside the OTRS web interface for the most part, and should be carried out in a shell by the 'otrs' user. The MIME configuration under Linux is based on SSL (OpenSSL). Therefore, check first of all whether the OpenSSL package is installed on your system. The OpenSSL package includes a script called CA.pl, with which the most important steps of certificate creation can be performed. To simplify the procedure, find out where in the filesystem the CA.pl script is stored and enter the location temporarily into the PATH variable of the shell (see Script below).

otrs@linux:~> rpm -ql openssl | grep CA
/usr/share/ssl/misc/CA.pl
otrs@linux:~> export PATH=$PATH:/usr/share/ssl/misc
otrs@linux:~> which CA.pl
/usr/share/ssl/misc/CA.pl
otrs@linux:~> mkdir tmp; cd tmp
otrs@linux:~/tmp>

Script: Configuring S/MIME.

The script above shows that a new temporary directory ~/tmp has been created, in which the certificate is to be generated.

To create a certificate, perform the following operations in the command line (we assume that the OTRS administrator has to create a SSL certificate for test and learning purposes. In case you already have a certified SSL certificate for the encryption, use it and skip these steps):

  1. Establish your own Certification Authority for SSL. You need it to certify the request for your own SSL certificate (see Script below).

    otrs@linux:~/tmp> CA.pl -newca
    CA certificate filename (or enter to create)
    
    Making CA certificate ...
    Generating a 1024 bit RSA private key
    ...++++++
    ......++++++
    writing new private key to './demoCA/private/cakey.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:DE
    State or Province Name (full name) [Some-State]:OTRS-state
    Locality Name (eg, city) []:OTRS-town
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your company
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:OTRS Admin
    Email Address []:[email protected]
    otrs@linux:~/tmp> ls -la demoCA/
    total 8
    -rw-r--r--  1 otrs otrs 1330 2006-01-08 17:54 cacert.pem
    drwxr-xr-x  2 otrs otrs   48 2006-01-08 17:53 certs
    drwxr-xr-x  2 otrs otrs   48 2006-01-08 17:53 crl
    -rw-r--r--  1 otrs otrs    0 2006-01-08 17:53 index.txt
    drwxr-xr-x  2 otrs otrs   48 2006-01-08 17:53 newcerts
    drwxr-xr-x  2 otrs otrs   80 2006-01-08 17:54 private
    -rw-r--r--  1 otrs otrs   17 2006-01-08 17:54 serial
    otrs@linux:~/tmp>
        

    Script: Establishing a Certification Authority for SSL.

  2. Generate a certificate request (see Script below).

    otrs@linux:~/tmp> CA.pl -newreq
    Generating a 1024 bit RSA private key
    ..........................................++++++
    ....++++++
    writing new private key to 'newreq.pem'
    Enter PEM pass phrase:
    Verifying - Enter PEM pass phrase:
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:DE\keyreturn
    State or Province Name (full name) [Some-State]:OTRS-state
    Locality Name (eg, city) []:OTRS-town
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your company
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:OTRS admin
    Email Address []:[email protected]
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Request (and private key) is in newreq.pem
    otrs@linux:~/tmp> ls -la
    total 4
    drwxr-xr-x  6 otrs otrs  232 2006-01-08 17:54 demoCA
    -rw-r--r--  1 otrs otrs 1708 2006-01-08 18:04 newreq.pem
    otrs@linux:~/tmp>
        

    Script: Creating a certificate request.

  3. Signing of the certificate request. The certificate request can either be signed and thereby certified by your own CA, or made more credible by being signed by another external certified CA (see Script below).

    otrs@linux:~/tmp> CA.pl -signreq
    Using configuration from /etc/ssl/openssl.cnf
    Enter pass phrase for ./demoCA/private/cakey.pem:
    Check that the request matches the signature
    Signature ok
    Certificate Details:
            Serial Number:
                fd:85:f6:9f:14:07:16:c8
            Validity
                Not Before: Jan  8 17:04:37 2006 GMT
                Not After : Jan  8 17:04:37 2007 GMT
            Subject:
                countryName               = DE
                stateOrProvinceName       = OTRS-state
                localityName              = OTRS-town
                organizationName          = Your Company
                commonName                = OTRS administrator
                emailAddress              = [email protected]
            X509v3 extensions:
                X509v3 Basic Constraints:
                    CA:FALSE
                Netscape Comment:
                    OpenSSL Generated Certificate
                X509v3 Subject Key Identifier:
                    01:D9:1E:58:C0:6D:BF:27:ED:37:34:14:D6:04:AC:C4:64:98:7A:22
                X509v3 Authority Key Identifier:
                    keyid:10:4D:8D:4C:93:FD:2C:AA:9A:B3:26:80:6B:F5:D5:31:E2:8E:DB:A8
                    DirName:/C=DE/ST=OTRS-state/L=OTRS-town/O=Your Company/
                    CN=OTRS admin/[email protected]
                    serial:FD:85:F6:9F:14:07:16:C7
    
    Certificate is to be certified until Jan  8 17:04:37 2007 GMT (365 days)
    Sign the certificate? [y/n]:y
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
    Signed certificate is in newcert.pem
    otrs@linux:~/tmp>
        

    Script: Signing of the certificate request.

  4. Generate your own certificate, and all data going with it, using the signed certificate request (see Script below).

    otrs@linux:~/tmp> CA.pl -pkcs12 "OTRS Certificate"
    Enter pass phrase for newreq.pem:
    Enter Export Password:
    Verifying - Enter Export Password:
    otrs@linux:~/tmp> ls -la
    total 12
    drwxr-xr-x  6 otrs otrs  328 2006-01-08 18:04 demoCA
    -rw-r--r--  1 otrs otrs 3090 2006-01-08 18:13 newcert.p12
    -rw-r--r--  1 otrs otrs 3791 2006-01-08 18:04 newcert.pem
    -rw-r--r--  1 otrs otrs 1708 2006-01-08 18:04 newreq.pem
    otrs@linux:~/tmp>
        

    Script: Generating a new certificate.

Now that these operations have been performed, the S/MIME setup must be completed in OTRS.

This part of the setup is carried out in the Admin page, choosing the link "SMIME". In case the general S/MIME support in OTRS has not yet been enabled, the mask points this out to the administrator and provides an appropriate link for enabling it.

With the SysConfig group "Crypt::SMIME", you can also enable and configure the general S/MIME support.

Here you can activate S/MIME support, and define the paths for the OpenSSL command and the directory for the certificates. The key file created above must be stored in the directory indicated here. Otherwise OpenSSL cannot use it.

The next step is performed in the S/MIME configuration on the OTRS Admin page. Here, you can import the private key(s) of the OTRS system and the public keys of other communication partners. Enter the public key that has been created in the beginning of this section and added to OTRS.

Obviously, all public S/MIME keys of communication partners can be imported using the customer administration tool as well.

OTRS Appliance - Powered by TurnKey Linux