differentpla.net

Because I keep forgetting how to.

Preamble

$ mkdir SSL
$ cd SSL
$ cp /usr/lib/ssl/misc/CA.pl .

Setting up a certificate authority

$ ./CA.pl -newca
CA certificate filename (or enter to create)Press Enter

Making CA certificate ...
Generating a 1024 bit RSA private key
.......................++++++
.....................................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:Enter a passphrase to use for the CA
Verifying - Enter PEM pass phrase:Enter the same passphrase
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:differentpla.net
Organizational Unit Name (eg, section) []:Certificate Authority
Common Name (eg, YOUR name) []:ca.differentpla.net
Email Address []:Enter a valid email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Press Enter
An optional company name []:Press Enter
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:Enter the passphrase from above
Check that the request matches the signature
Signature ok
Certificate Details:

(snip)

Certificate is to be certified until May 17 06:21:04 2011 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Stashing the CA certificate

# cp /path/to/SSL/demoCA/cacert.pem /etc/ssl/certs/ca-differentpla-net.cer

Generating and signing a certificate

$ ./CA.pl -newreq
Generating a 1024 bit RSA private key
...............++++++
..........++++++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:Enter a passphrase
Verifying - Enter PEM pass phrase:Enter the same passphrase
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:UK
State or Province Name (full name) [Some-State]:England
Locality Name (eg, city) []:London
Organization Name (eg, company) [Internet Widgits Pty Ltd]:differentpla.net
Organizational Unit Name (eg, section) []:Press Enter
Common Name (eg, YOUR name) []:smtp.differentpla.net
Email Address []:Enter a valid email address

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:Press Enter
An optional company name []:Press Enter
Request is in newreq.pem, private key is in newkey.pem

$ ./CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:Enter the CA passphrase
Check that the request matches the signature
Signature ok
Certificate Details:

(snip)

Certificate is to be certified until May 17 06:28:15 2009 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Stripping the passphrase

$ cp newkey.pem newkey.pem.org
$ openssl rsa -in newkey.pem.org -out newkey.pem
Enter pass phrase for newkey.pem.org:Enter the passphrase that you provided when generating the key
writing RSA key

Don't need these files any more

$ rm newreq.pem newkey.pem.org

Storing the certificate and key files

# cp /path/to/SSL/newcert.pem /etc/ssl/certs/smtp-differentpla-net.cer
# chmod a+r /etc/ssl/certs/smtp-differentpla-net.cer
# cp /path/to/SSL/newkey.pem /etc/ssl/private/smtp-differentpla-net.key
# chmod 400 /etc/ssl/private/smtp-differentpla-net.key

Using that certificate for qmail

qmail needs a /var/qmail/control/servercert.pem file containing the key (no passphrase) followed by the certificate.

# cat /etc/ssl/private/smtp-differentpla-net.key /etc/ssl/certs/smtp-differentpla-net.cer > /var/qmail/control/servercert.pem
# chmod 400 /var/qmail/control/servercert.pem
# chown vpopmail.vchkpw /var/qmail/control/servercert.pem

Using a certificate for BincIMAP

# cat /etc/ssl/private/imap-differentpla-net.key /etc/ssl/certs/imap-differentpla-net.cer > /usr/local/etc/bincimap.pem
# chown root.staff /usr/local/etc/bincimap.pem
# chmod 400 /usr/local/etc/bincimap.pem

Making the certificates available to anyone that wants them

# mkdir /path/to/www/certs
# cp /etc/ssl/certs/*.cer /path/to/www/certs
# chmod a+r /path/to/www/certs/*