Generate an SSL Certificate

There are two parts to creating an SSL certificate. Creating the certificate for the client and signing it by the authority. Client certificates are basically all the same (at least for our purposes). They have a public and a private key, they contain info describing the client (a host or an email address usually), and they are signed by a certificate authority (CA). For CA signatures, you have two options: self-signed or CA signed.

Certificate Signing Request (CSR) and cacert.org

A CSR is a public certificate which contains all the relevant info and is submitted to a CA for signing. The CA will return a signed public certificate which can be used to validate the identity of your host.

You can use a command like this to create a new private key and a CSR:
openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem

Or if you have an existing private key, you can generate a new CSR from that like this:
openssl req -new -key mykey.pem -out myreq.pem

Once you have the CSR, submit it to the CA for approval. In the case of cacert.org, there's an online form where you copy & paste the content of the CSR.

The CA will approve your CSR and send you a signed public key (or reject your CSR, as the case may be).

Save the signed public key on the server somewhere and you're cooking with gas.

The signed certificates we hold are all under Archangel's account on cacert.org and they are:

webmail.thenibble.org
mail.thenibble.org
alia.thenibble.org

The "alia" certificate I don't think is used per se (although we should install it for the XMPP server), webmail is used by Apache for the webmail (obviously) and mail is used by both Postfix and Dovecot for SMTP and IMAP+POP3 respectively.

See also Ubuntu OpenSSL docs.

Generate a Self-Signed Certificate

Generating a self-signed cert is a little disorienting since there's about a million sites on the 'net that say how to do it and none of them are quite the same. The following examples are specific to the Nibble site and are taken from here.

Dovecot (IMAP/POP)

Dovecot uses a separate encryption key and certificate. When prompted for for "your name", it is the standard FQDN of the IMAP server which is imaps.dl.nibble.bz. The number of days can be set to anything, here 1000 is used instead of the 365 given in the document above. So without further adieu, run the following command (as root) and answer all the interactive prompts:

openssl req -x509 -nodes -days 1000 -newkey rsa:1024 -keyout /etc/ssl/private/imaps.dl.nibble.bz.key -out /etc/ssl/certs/imaps.dl.nibble.bz.crt

Note that Dovecot does have to be restarted to pickup the new certificate.

Postfix

Similar issues with Dovecot. The FQDN of the Postfix server is smtp.dl.nibble.bz.

openssl req -x509 -nodes -days 1095 -newkey rsa:1024 -keyout /etc/ssl/private/smtp.dl.nibble.bz.key -out /etc/ssl/certs/smtp.dl.nibble.bz.crt

Ditto on restarting Postfix.

No comments:

Post a Comment