How to: Manage SSL Certificates For System Services
===================================================

The InterWorx Control Panel provides a simple to use interface for managing SSL Certificates for 
system services. These services include the InterWorx internal web server, FTP, SMTP, and Dovecot. 

From the SSL Certificates page in NodeWorx, it is possible to view and edit a service's SSL Certificate, 
generate a self signed SSL Certificate, add an SSL certificate purchased from a 
Certificate Authority, Generate Let's Encrypt certificates for system services, apply a SiteWorx 
account's SSL certificate to system services, and update all services in a single step.

.. contents::

To View a Service's SSL Certificate
-----------------------------------

#. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx)
#. From NodeWorx, navigate to **Server > SSL Certificates** 
#. Click the **Magnifying Glass** next to the service

   .. image:: /images/nw-system-ssl-view.png
      :alt: system SSL certs 

To Edit a Service's SSL Certificate 
-----------------------------------

#. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx)
#. From NodeWorx, navigate to **Server > SSL Certificates** 
#. Click the **Pencil** next to the service. This opens the Edit an SSL Certificate form
#. Update the required fields: 

   - **Private Key**: The private key 
   - **SSL Certificate**: The SSL certificate 
   - **Chain Certificate**: (Optional) The chain certificate
   - **SSL Cipher Suite**: (Optional) The OpenSSL cipher specifications to configure the Cipher Suite 
     the client is permitted to negotiate in the SSL handshake phase. This will most likely not need to 
     be edited 
   - **Restart Services**: Most services require that they be restarted before the SSL Certificates
     will be applied. The service restarts are usually very fast, and there should not be any significant 
     service interruption

   .. image:: /images/nw-system-ssl-edit.png
      :alt: edit Service SSL cert 

#. Click **Save** 


Updating the SSL Certificate for System Services
------------------------------------------------

InterWorx allows the ability to update all system service SSL certificates at one time. The service
SSL certificates may be updated by generating a self-signed certificate,  copy and pasting an SSL 
certificate purchased from a Certificate Authority, using the SSL certificate of a SiteWorx account, 
or generating a Let's Encrypt certificate for the hostname domain. 

.. image:: /images/nw-system-ssl-update-form.png
   :alt: update server SSL cert 

To Generate a Self-Signed SSL Certificate
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

#. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx)
#. From NodeWorx, navigate to **Server > SSL Certificates** 
#. Click **...**. This opens an options form
#. Select **Generate a Self-Signed SSL Certificate**
#. Update the required fields. These include: 

   - **Key Length**: 2048 is the standard
   - **Years Until Expiration**: Determines when the SSL certificate will expire
   - **Common Name**: The domain name the certificate will use. Note that www.domain.com is not the 
     same as domain.com. A wildcard domain (which begins with an asterisk) is a valid option and 
     applies to all subdomains

     - For example, a Common Name of \*.domain.com would create a CSR that is valid for domain.com, 
       sub1.domain.com, sub2.domain.com, etc 

   - **Subject Alternative Name**: (Optional) List of alternative domain names to associate with 
     the certificate
   - **Email Address**: Email address that is associated with the certificate

#. Select the E-mail SSL Certificate **checkbox** to receive a confirmation email 
#. Select the **checkboxes** next to the services the SSL Certificate will be installed for automatically 
   upon generation
#. Select **Yes** or **No** from the Restart Services Now dropdown

   - Most services require that they be restarted before the SSL Certificates will be applied. The 
     service restarts are usually very fast, and there should not be any significant service 
     interruption

   .. image:: /images/nw-system-ssl-self-signed.png
      :alt: service self signed ssl 

#. Click **Generate**

To Use an SSL Certificate Purchased From a Certificate Authority
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

#. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx)
#. From NodeWorx, navigate to **Server > SSL Certificates** 
#. Click **...**. This opens an options form
#. Select **Update All Services** 
#. Select **Copy/Paste** from the Certificate Source dropdown
#. Update the Required Fields: 

   - **Private Key**: The private key proved by the Certificate Authority (CA)
   - **SSL Certificate**: The SSL certificate provided by the CA
   - **Chain Certificate**: (Optional) The chain certificate, if one was provided by the CA

#. Select the **checkboxes** next to the services the SSL Certificate will be installed for automatically 
   upon generation
#. Select **Yes** or **No** from the Restart Services Now dropdown

   - Most services require that they be restarted before the SSL Certificates will be applied. The 
     service restarts are usually very fast, and there should not be any significant service 
     interruption

   .. image:: /images/nw-system-ssl-update-cp.png
      :alt: purchased service ssl cert 

#. Click **Save**

To Use the SSL Certificate of a SiteWorx Account
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. note::

   To avoid domain mismatch security errors in browsers, it is recommended, if using this option,
   to create SiteWorx account for the hostname domain. The domain is also required to resolve to the 
   server. More information on creating a SiteWorx account can be found :doc:`here </nodeworx/account_management/siteworx/account/manage-siteworx-accounts>`.

#. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx)
#. From NodeWorx, navigate to **Server > SSL Certificates** 
#. Click **...**. This opens an options form
#. Select **Update All Services** 
#. Select **Domain** from the Certificate Source dropdown
#. Select **the domain** from the Certificate From dropdown
#. Select the **checkboxes** next to the services the SSL Certificate will be installed for automatically 
   upon generation
#. Select **Yes** or **No** from the Restart Services Now dropdown

   - Most services require that they be restarted before the SSL Certificates will be applied. The 
     service restarts are usually very fast, and there should not be any significant service 
     interruption
   
   .. image:: /images/nw-system-ssl-update-domain.png
      :alt: domain level ssl cert for services 

#. Click **Save**

To Generate System Service SSL Certificates using Let's Encrypt
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

.. note:: 

   Using Let's Encrypt for system service SSL certificates requires that the hostname domain both 
   resolves to the server, and is not attached to a SiteWorx account. 

#. Log into NodeWorx from the browser (https://ip.ad.dr.ess:2443/nodeworx)
#. From NodeWorx, navigate to **Server > SSL Certificates** 
#. Click **...**. This opens an options form
#. Select **Update All Services** 
#. Select **Let's Encrypt** from the Certificate Source dropdown
#. Update the required fields: 

   - **Hostname**: The hostname domain of the server
   - **Email Address**: Email address associated with the certificate
   - **Mode**: Let's Encrypt rate limits attempts of generating a Let's Encrypt certificate. If
     generating a Let's Encrypt certificate for a domain fails too many times, attempts are locked
     out for a period of time. Because of this limitation, there are two options for SSL certificate 
     generation. More information on Let's Encrypt rate limiting can be found `here <https://letsencrypt.org/docs/rate-limits/>`__

     - **Live**: Will attempt to generate a live certificate. Failed attempts counts against rate limit
     - **Staging**: Recommended before attempting a Live services. Will attempt to generate a test 
       certificate. Failed attempts do not count against rate limit

#. Select the **checkboxes** next to the services the SSL Certificate will be installed for automatically 
   upon generation
#. Select **Yes** or **No** from the Restart Services Now dropdown

   - Most services require that they be restarted before the SSL Certificates will be applied. The 
     service restarts are usually very fast, and there should not be any significant service 
     interruption
   
   .. image:: /images/nw-system-ssl-le.png
      :alt: let's encrypt system certs 

#. Click **Save**