Forgot your password?
Views
SslCertificates
How to create SSL-Certificates:
More info available at: http://ospkibook.sourceforge.net/
----
Creating Self-Signed Certificate Authority Certificate
openssl req -x509 -newkey rsa:1024 -days {days} \
-keyout private/cakey.pem -out certs/cacert.pem
The ={days}= parameter should be replaced by the number of days you want this certificate to remain valid. All certificates signed by this certificate become invalid when this certificate expires.
Be sure not to forget the pass-phrase you use to protect the private key of the CA certificate. If you do not wish to encrypt the CA's private key you may specify the -nodes option. But this is highly discouraged.
You can check the contents of the CA certificate with the command:
openssl x509 -text -in certs/cacert.pem
----
Generating a RSA CSR
openssl req -newkey rsa:1024 -keyout private/{name}-key.pem \
-out requests/{name}-req.pem
={name}= should be replaced by something that identifies the files. Perhaps the hostname or userid for which the certificate is being generated.
If you are generating a CSR for use as a host certificate be sure to specify the fully qualified domain name as reported by the DNS as the Common Name for the certificate. Otherwise, it is not recognized as belonging to the host it is installed on by its clients.
Be sure not to forget the pass-phrase you use to protect the private key of the CA certificate. The certificate (after signing) is unusable without it.
Use the =-nodes= option if you wish to store the key unencrypted.
You can check the contents of the CSR with the command:
openssl req -text -in requests/{name}-req.pem
The CSR now stored in requests/{name}-req.pem may be sent to one of the commerical CAs? if you do not wish to be your own CA.
----
Signing a CSR with your CA certificate
openssl ca -name {caname} -in requests/{name}-req.pem \
-out certs/{name}.pem -days {days}
The ={days}= parameter should be replaced by the number of days you want the signed certificate to remain valid. If you want to specify a specific date range you can replace the =-days= parameters with:
-startdate YYMMDDHHMMSSZ - certificate validity notBefore -enddate YYMMDDHHMMSSZ - certificate validity notAfter
The file certs/{name}.pem now contains a signed certificate that may be used by a host or client for authentication in conjunction with its matching private key (private/{name}-key.pem.)
An alternative method of signing the CSR is to use the command:
openssl x509 -req -in requests/{name}-req.pem -CA certs/cacert.pem \
-CAkey private/cakey.pem -out certs/{name}.pem -days \
-CAserial ca.srl -CAcreateserial
The "openssl x509" command provides greater functionality at the expense of ease of use. The X509 may be used to assign X.509v3 certificate extensions with the -extfile and -extensions switches. It may also be used to produce certificates that may only be used for specific purposes.
You can check the contents of the CA certificate with the command:
openssl x509 -text -in certs/{name}.pem
----
Creating pkcs12 certificates
openssl pkcs12 -inkey private/{name-key.pem} -in certs/{name.pem} \
-out certs/{name}.p12 -export
-- Main.RamonSierra? - 01 Dec 2000
---- Creating Secure IMAP certificates
To do secure IMAP, we use stunnel on astraeus. The mail server certificates expire every year, here's how I built a new one.
# cd /usr/local/ssl/newcerts # sh newcert_np.sh stunnel # sh certsign.sh stunnel # /etc/rc.d/init.d/simap stop # mv /usr/local/ssl/certs/stunnel.pem /usr/local/ssl/certs/stunnel.old # cat certs/stunnel.pem private/stunnel-key.pem > /usr/local/ssl/certs/stunnel.pem # chmod 600 /usr/local/ssl/certs/stunnel.pem # /etc/rc.d/init.d/simap start
Since the request is now on file, we should keep it and resign it next year, so we could skip the first 2 steps.
---- Making certificates for sendmail STARTTLS
Here is the procedure I followed for constructing and installing the SSL certificates for sendmail to use in STARTTLS sessions. See SmtpAuthAndStartTls for information on the sendmail configuration required.
[root@astraeus humberto]# cd /usr/local/ssl/newcerts/ [root@astraeus newcerts]# ./newcert_np.sh mail Using configuration from /etc/ssl/openssl.cnf Generating a 1024 bit RSA private key ...................++++++ .....++++++ writing new private key toprivate/mail-key.pem----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter., the field will be left blank. ----- Country Name (2 letter code) [AU]:PR State or Province Name (full name) [Some-State]:Puerto Rico Locality Name (eg, city) []:San Juan Organization Name (eg, company) [Internet Widgits Pty Ltd]:UPR HPCf Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:mail.hpcf.upr.edu Email Address []:root@hpcf.upr.eduPlease enter the following
extraattributes to be sent with your certificate request A challenge password []: An optional company name []: [root@astraeus newcerts]# ./certsign.sh mail Signature ok subject=/C=PR/ST=Puerto Rico/L=San Juan/O=UPR HPCf/CN=mail.hpcf.upr.edu/Email=root@hpcf.upr.edu Getting CA Private Key Enter PEM pass phrase:[root@astraeus newcerts]# mkdir /etc/mail/certs [root@astraeus newcerts]# cp certs/mail.pem /etc/mail/certs/host.cert [root@astraeus newcerts]# cp private/mail-key.pem /etc/mail/certs/host.key
-- Main.HumbertoOrtiz - 28 May 2002
---- Webmail Certificates
I just moved the webmail certificates to the newcerts directory too.
When the cert expires (or just before 12 Nov 2003) you should be able to do:
# ./certsign.sh webmail # /usr/local/apache/bin/apachectl stop # /usr/local/apache/bin/apachectl startssl
-- Main.HumbertoOrtiz - 12 Nov 2002
New webmail certs --humberto, Sun, 28 May 2006 18:52:41 -0400 reply
I made a new webmail certificate for webmail2.hpcf.upr.edu. I logged in as root, then cd /etc/pki/tls/certs and run make -B webmail.pem SERIAL=2. This makes a self signed certificate with no password, so I had to edit the /etc/httpd/conf.d/ssl.conf to not use webmail-key.pem.
This key is valid until May 2007.
qmail certs --humberto, Fri, 15 Jun 2007 12:21:46 -0400 reply
The qmail smtp cert expired today, here's what I did to make a new one:
cd /etc/pki/tls/certs make smtp.pem cp smtp.pem /var/qmail/control/servercert.pem chown root:qmail /var/qmail/control/servercert.pem
Make sure the common name (CN) field is "mail.hpcf.upr.edu".
