Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
8c96614a
Commit
8c96614a
authored
Sep 10, 2019
by
Diego Louzán
Committed by
Achilleas Pipinellis
Sep 10, 2019
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
docs: add full omnibus example for smime signing
- minor style corrections - document rsa keys limitation
parent
2b06f615
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
39 additions
and
12 deletions
+39
-12
doc/administration/smime_signing_email.md
doc/administration/smime_signing_email.md
+39
-12
No files found.
doc/administration/smime_signing_email.md
View file @
8c96614a
...
...
@@ -11,29 +11,56 @@ S/MIME signs and/or encrypts the message itself
## Enable S/MIME signing
This setting must be explicitly enabled and a single pair of key and certificate
files must be provided in
`gitlab.rb`
or
`gitlab.yml`
if you are using Omnibus
GitLab or installed GitLab from source respectively:
```
yaml
email_smime
:
enabled
:
true
key_file
:
/etc/pki/smime/private/gitlab.key
cert_file
:
/etc/pki/smime/certs/gitlab.crt
```
files must be provided:
-
Both files must be
provided
PEM-encoded.
-
The key file must be unencrypted so that Git
l
ab can read it without user
-
Both files must be PEM-encoded.
-
The key file must be unencrypted so that Git
L
ab can read it without user
intervention.
-
Only RSA keys are supported.
NOTE:
**Note:**
Be mindful of the access levels for your private keys and visibility to
third parties.
**For Omnibus installations:**
1.
Edit
`/etc/gitlab/gitlab.rb`
and adapt the file paths:
```
ruby
gitlab_rails
[
'gitlab_email_smime_enabled'
]
=
true
gitlab_rails
[
'gitlab_email_smime_key_file'
]
=
'/etc/gitlab/ssl/gitlab_smime.key'
gitlab_rails
[
'gitlab_email_smime_cert_file'
]
=
'/etc/gitlab/ssl/gitlab_smime.crt'
```
1.
Save the file and
[
reconfigure GitLab
](
restart_gitlab.md#omnibus-gitlab-reconfigure
)
for the changes to take effect.
NOTE:
**Note:**
The key needs to be readable by the GitLab system user (
`git`
by default).
**For installations from source:**
1.
Edit
`config/gitlab.yml`
:
```
yaml
email_smime
:
# Uncomment and set to true if you need to enable email S/MIME signing (default: false)
enabled
:
true
# S/MIME private key file in PEM format, unencrypted
# Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app).
key_file
:
/etc/pki/smime/private/gitlab.key
# S/MIME public certificate key in PEM format, will be attached to signed messages
# Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app).
cert_file
:
/etc/pki/smime/certs/gitlab.crt
```
1.
Save the file and
[
restart GitLab
](
restart_gitlab.md#installations-from-source
)
for the changes to take effect.
NOTE:
**Note:**
The key needs to be readable by the GitLab system user (
`git`
by default).
### How to convert S/MIME PKCS#12 / PFX format to PEM encoding
Typically S/MIME certificates are handled in binary PKCS#12 format (
`.pfx`
or
`.p12`
extensions), which contain the following in a single encrypted file:
-
Server
certificate
-
Public
certificate
-
Intermediate certificates (if any)
-
Private key
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment