SSL Certificates
From IthrynWiki
Contents |
Certificate Authority (CA)
These commands assume that you are root, and that you are in /etc/ssl/
Generate a new RSA key pair. Choose a very good passphrase.
openssl genrsa -des3 -out ca.key 1024
Use the key to create a new public certificate for a CA. You will be prompted for various fields; this information will be added to this page at a later time.
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
View the new certificate:
openssl x509 -noout -text -in ca.crt
Make sure the new files have the following permissions:
-rw-r----- 1 root root 963 2003-11-09 01:06 ca.key -rw-r--r-- 1 root root 1371 2003-11-09 01:09 ca.crt
Translating CA to a format MSIE can read
I'm not longer sure this is correct.
openssl x509 -in ca.crt -outform DER -out ca.der
These files are linked from /var/www/default/certs, at http://ithryn.net/certs/
Generating a Webserver Certificate
First, generate a new webserver RSA key pair. Choose a temporary password.
openssl genrsa -des3 -out secure_ithryn_net.key.pass 1024
Write the key without a password:
openssl rsa -in secure_ithryn_net.key -out secure_ithryn_net.key
Generate a certificate request for secure.ithryn.net.
openssl req -new -key secure_ithryn_net.key.nopass -out secure_ithryn_net.csr
Use Ithryn's Root CA to sign the request. This is done via the sign.sh script, currently in ~b/bin/sign.sh
sign.sh secure_ithryn_net.csr
Make sure the files have the following permissions:
-r--r--r-- 1 root root 2807 2005-11-16 19:28 secure_ithryn_net.crt -r--r----- 1 root root 887 2005-11-16 19:26 secure_ithryn_net.key
The .csr and .key.pass files may be deleted.
Configuring Apache for HTTPS
Make sure the following two symlinks are present.
ln -s /etc/ssl/secure_ithryn_net.key /etc/apache2/ssl/secure_ithryn_net.key ln -s /etc/ssl/secure_ithryn_net.crt /etc/apache2/ssl/secure_ithryn_net.crt
Generating a Mail Server Certficate
First, generate a new webserver RSA key pair. Choose a temporary password.
openssl genrsa -des3 -out mail_ithryn_net.key.pass 1024
Write the key without a password:
openssl rsa -in mail_ithryn_net.key -out mail_ithryn_net.key
Generate a certificate request for mail.ithryn.net.
openssl req -new -key mail_ithryn_net.key.nopass -out mail_ithryn_net.csr
Use Ithryn's Root CA to sign the request. This is done via the sign.sh script, currently in ~b/bin/sign.sh
sign.sh mail_ithryn_net.csr
The .csr and .key.pass files may be deleted. For Courier IMAPS, a .pem file must also be created by copying mail_ithryn_net.key to mail_ithryn_net.pem and appending everything from mail_ithryn_net.crt from BEGIN CERTIFICATE to END CERTIFICATE.
Make sure the files have the following permissions:
-r--r--r-- 1 root root 2807 2005-11-16 19:12 mail_ithryn_net.crt -r--r----- 1 postfix root 887 2005-11-17 02:03 mail_ithryn_net.key -r--r----- 1 root root 1896 2005-11-16 19:16 mail_ithryn_net.pem
Configuring Postfix for SMTPS Support
This will be expanded later. <dir> smtpd_tls_CAfile = /etc/ssl/ca.crt smtpd_tls_key_file = /etc/ssl/mail_ithryn_net.key smtpd_tls_cert_file = /etc/ssl/mail_ithryn_net.crt </dir>
Create a User S/MIME Certificate
Generate certificate request and private key.
openssl req -new -out user_ithryn_net.csr -keyout private/user_ithryn_net.key
Use Ithryn's root CA to sign the CSR.
openssl ca -config ca.config -out user_ithryn.net.crt -infiles user_ithryn.net.csr
Package using pfx.
sudo openssl pkcs12 -export -in user_ithryn_net.crt -inkey private/user_ithryn_net.key -out private/user_ithryn_net.pfx -name "Full Name" -des3
