Obtaining a StartCom Murmur Certificate

From Mumble Wiki
Revision as of 22:18, 19 February 2010 by Fwaggle (talk | contribs) (added note about class 1 certs not having tls bit set)
Jump to: navigation, search

IMPORTANT CAVEAT: Level 1 StartCom certificates (ie, the kind you don't pay money for) do not have the TLS bit set in their certificates, which will prevent your Murmur from registering itself as a public server. If you want your server listed in the public server list (shown in the connect dialog for everyone), there are only three solutions: 1) Go back to using an automatically-generated, self-signed Murmur certificate; 2) Paying for Class 2 validation which will have the TLS bit enabled; 3) Paying for a certificate from an alternate certificate provider. :(

This is a quick hands-on guide for obtaining and installing a Class 1 server certificate in murmur on a reasonably modern Linux system.

First of all, we need to generate a key and a signing request. It doesn't matter what you input for country, state etc as it will all get replaced by the CA.

$ openssl req -nodes -newkey rsa:2048 -nodes -keyout mumble.key -out server_mumble.csr 
Generating a 2048 bit RSA private key
writing new private key to 'mumble.key'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [GB]:
State or Province Name (full name) [Berkshire]:
Locality Name (eg, city) [Newbury]:
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []: 
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request 
A challenge password []:
An optional company name []:

This will create server_mumble.csr.

After authenticating to the StartSSL website (assuming you've already added your domain to StartSSL and verified it), click "Certificates Wizard", select "Web Server SSL/TLS Certificate" from the Certificate Target dropdown box, and click "Continue".

Skip the key generation step because we've already generated a key using OpenSSL above. You will now have a text area were you can paste the contents of server_mumble.csr. Paste the contents of server_mumble.csr and click "Continue".

After the certificate is generated the contents of the textarea should be placed in a new file, ssl_mumble.crt.

wget --no-check-certificate https://www.startssl.com/certs/sub.class1.server.ca.pem
cat sub.class1.server.ca.pem > ssl_mumble_concat.crt
cat ssl_mumble.crt >> ssl_mumble_concat.crt

Now the file ssl_mumble_concat.crt contains the certificate, and mumble.key contains the key. Move the files into the same folder as murmur.ini and edit the following two lines:


Restart murmur and you're done.

If you've previously ran murmur, it will have autogenerated certificates and stored these in it's internal configuration database, which takes precedence over the .ini file. To remove these, add the -wipessl parameter to murmur when starting it.