Generating SSL certificates for differentpla.net
Sat, 2008-05-17 06:29 — rogerBecause I keep forgetting how to.
Preamble
$ mkdir SSL $ cd SSL $ cp /usr/lib/ssl/misc/CA.pl .
Setting up a certificate authority
$ ./CA.pl -newca CA certificate filename (or enter to create)Press Enter Making CA certificate ... Generating a 1024 bit RSA private key .......................++++++ .....................................................++++++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase:Enter a passphrase to use for the CA Verifying - Enter PEM pass phrase:Enter the same passphrase ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:England Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:differentpla.net Organizational Unit Name (eg, section) []:Certificate Authority Common Name (eg, YOUR name) []:ca.differentpla.net Email Address []:Enter a valid email address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Press Enter An optional company name []:Press Enter Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:Enter the passphrase from above Check that the request matches the signature Signature ok Certificate Details:
(snip)
Certificate is to be certified until May 17 06:21:04 2011 GMT (1095 days) Write out database with 1 new entries Data Base Updated
Stashing the CA certificate
# cp /path/to/SSL/demoCA/cacert.pem /etc/ssl/certs/ca-differentpla-net.cer
Generating and signing a certificate
$ ./CA.pl -newreq Generating a 1024 bit RSA private key ...............++++++ ..........++++++ writing new private key to 'newkey.pem' Enter PEM pass phrase:Enter a passphrase Verifying - Enter PEM pass phrase:Enter the same passphrase ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UK State or Province Name (full name) [Some-State]:England Locality Name (eg, city) []:London Organization Name (eg, company) [Internet Widgits Pty Ltd]:differentpla.net Organizational Unit Name (eg, section) []:Press Enter Common Name (eg, YOUR name) []:smtp.differentpla.net Email Address []:Enter a valid email address Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:Press Enter An optional company name []:Press Enter Request is in newreq.pem, private key is in newkey.pem
$ ./CA.pl -sign Using configuration from /usr/lib/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem:Enter the CA passphrase Check that the request matches the signature Signature ok Certificate Details:
(snip)
Certificate is to be certified until May 17 06:28:15 2009 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated Signed certificate is in newcert.pem
Stripping the passphrase
$ cp newkey.pem newkey.pem.org $ openssl rsa -in newkey.pem.org -out newkey.pem Enter pass phrase for newkey.pem.org:Enter the passphrase that you provided when generating the key writing RSA key
Don't need these files any more
$ rm newreq.pem newkey.pem.org
Storing the certificate and key files
# cp /path/to/SSL/newcert.pem /etc/ssl/certs/smtp-differentpla-net.cer # chmod a+r /etc/ssl/certs/smtp-differentpla-net.cer # cp /path/to/SSL/newkey.pem /etc/ssl/private/smtp-differentpla-net.key # chmod 400 /etc/ssl/private/smtp-differentpla-net.key
Using that certificate for qmail
qmail needs a /var/qmail/control/servercert.pem file containing the key (no passphrase) followed by the certificate.
# cat /etc/ssl/private/smtp-differentpla-net.key /etc/ssl/certs/smtp-differentpla-net.cer > /var/qmail/control/servercert.pem # chmod 400 /var/qmail/control/servercert.pem # chown vpopmail.vchkpw /var/qmail/control/servercert.pem
Using a certificate for BincIMAP
# cat /etc/ssl/private/imap-differentpla-net.key /etc/ssl/certs/imap-differentpla-net.cer > /usr/local/etc/bincimap.pem # chown root.staff /usr/local/etc/bincimap.pem # chmod 400 /usr/local/etc/bincimap.pem
Making the certificates available to anyone that wants them
# mkdir /path/to/www/certs # cp /etc/ssl/certs/*.cer /path/to/www/certs # chmod a+r /path/to/www/certs/*