Certificate Signing Request (CSR) and cacert.org
A CSR is a public certificate which contains all the relevant info and is submitted to a CA for signing. The CA will return a signed public certificate which can be used to validate the identity of your host.
You can use a command like this to create a new private key and a CSR:
openssl req -new -newkey rsa:1024 -nodes -keyout mykey.pem -out myreq.pem
Or if you have an existing private key, you can generate a new CSR from that like this:
openssl req -new -key mykey.pem -out myreq.pem
Once you have the CSR, submit it to the CA for approval. In the case of cacert.org, there's an online form where you copy & paste the content of the CSR.
The CA will approve your CSR and send you a signed public key (or reject your CSR, as the case may be).
Save the signed public key on the server somewhere and you're cooking with gas.
The signed certificates we hold are all under Archangel's account on cacert.org and they are:
webmail.thenibble.org
mail.thenibble.org
alia.thenibble.org
The "alia" certificate I don't think is used per se (although we should install it for the XMPP server), webmail is used by Apache for the webmail (obviously) and mail is used by both Postfix and Dovecot for SMTP and IMAP+POP3 respectively.
See also Ubuntu OpenSSL docs.
Generate a Self-Signed Certificate
Generating a self-signed cert is a little disorienting since there's about a million sites on the 'net that say how to do it and none of them are quite the same. The following examples are specific to the Nibble site and are taken from here.
Dovecot (IMAP/POP)
Dovecot uses a separate encryption key and certificate. When prompted for for "your name", it is the standard FQDN of the IMAP server which is imaps.dl.nibble.bz. The number of days can be set to anything, here 1000 is used instead of the 365 given in the document above. So without further adieu, run the following command (as root) and answer all the interactive prompts:
openssl req -x509 -nodes -days 1000 -newkey rsa:1024 -keyout /etc/ssl/private/imaps.dl.nibble.bz.key -out /etc/ssl/certs/imaps.dl.nibble.bz.crt
Note that Dovecot does have to be restarted to pickup the new certificate.
Postfix
Similar issues with Dovecot. The FQDN of the Postfix server is smtp.dl.nibble.bz.
openssl req -x509 -nodes -days 1095 -newkey rsa:1024 -keyout /etc/ssl/private/smtp.dl.nibble.bz.key -out /etc/ssl/certs/smtp.dl.nibble.bz.crt
Ditto on restarting Postfix.
No comments:
Post a Comment