Book:OTRS 3.0 - Admin Manual/Chapter 17

At first glance, encryption with S/MIME seems a little more complicated than with PGP. First, you have to establish a Certification Authority (CA) for the OTRS system, following which the procedures are very much like those needed with PGP: configure OTRS, install your own certificate, import other public certificates as needed, etc.

The S/MIME configuration is conducted outside the OTRS web interface for the most part, and should be carried out in a shell by the 'otrs' user. The MIME configuration under Linux is based on SSL (OpenSSL). Therefore, check first of all whether the OpenSSL package is installed on your system. The OpenSSL package includes a script called CA.pl, with which the most important steps of certificate creation can be performed. To simplify the procedure, find out where in the filesystem the CA.pl script is stored and enter the location temporarily into the PATH variable of the shell (see Script 17.1 below).

Script 17.1 shows that a new temporary directory ~/tmp has been created, in which the certificate is to be generated.

To create a certificate, perform the following operations in the command line (we assume that the OTRS administrator has to create a SSL certificate for test and learning purposes. In case you already have a certified SSL certificate for the encryption, use it and skip these steps):

  Establish your own Certification Authority for SSL. You need it to certify the request for your own SSL certificate (see Script 17.2 below).



 Generate a certificate request (see Script 17.3 below).



 Signing of the certificate request. The certificate request can either be signed and thereby certified by your own CA, or made more credible by being signed by another external certified CA (see Script 17.4 below).



 Generate your own certificate, and all data going with it, using the signed certificate request (see Script 17.5 below).

 

Now that these operations have been performed, the S/MIME setup must be completed in OTRS. This part of the setup is carried out in the Admin page, choosing the link "SMIME". In case the general S/MIME support in OTRS has not yet been enabled, the mask points this out to the administrator and provides an appropriate link for enabling it.

With the SysConfig group "Crypt::SMIME", you can also enable and configure the general S/MIME support. Here you can activate S/MIME support, and define the paths for the OpenSSL command and the directory for the certificates. The key file created above must be stored in the directory indicated here. Otherwise OpenSSL cannot use it.

The next step is performed in the S/MIME configuration on the OTRS Admin page. Here, you can import the private key(s) of the OTRS system and the public keys of other communication partners. Enter the public key that has been created in the beginning of this section and added to OTRS.

Obviously, all public S/MIME keys of communication partners can be imported using the customer administration tool as well.