|
|
Line 3: |
Line 3: |
| To configure a SSL certificate for TLS and/or SSL over SMTP: | | To configure a SSL certificate for TLS and/or SSL over SMTP: |
|
| |
|
| 1) Abstract: Create Certificate
| | # Abstract: Create Certificate |
| a. Generate key
| | #* Generate key |
| b. Generate signing request
| | #* Generate signing request |
| c. Sign the key
| | #* Sign the key |
| d. Create server certificate
| | #* Create server certificate |
| e. Set permission
| | #* Set permission |
| f. Set owner
| | #* Set owner |
| g. Copy into place
| | #* Copy into place |
| h. Restart services
| | #* Restart services |
| | |
| 1) Create a private key using the triple des encryption standard (recommended):
| |
| # openssl genrsa -des3 -out servercert.key.enc 1024
| |
| | |
| 2) Remove the pass phrase from the private key:
| |
| # openssl rsa -in servercert.key.enc -out servercert.key
| |
| | |
| 3) Generate Certificate Request
| |
| # openssl req -new -key servercert.key -out servercert.csr
| |
| | |
| 4) Go to [http://www.discountwebcerts.com/idev/idevaffiliate.php?id=135 DiscountWebCerts] and submit servercert.csr for a trusted certificate ($19.95). You will then receive a servercert.crt. Now just do the following.
| |
| | |
| 5) Create standard .pem in /var/qmail/control/servercert.pem
| |
| # cat servercert.key servercert.crt > /var/qmail/control/servercert.pem
| |
| | |
| ----------------------
| |
| *NOTE - For reference, here is the command to sign the request for a self signed certificate:
| |
| # openssl x509 -req -days 365 -in servercert.csr -signkey servercert.key -out servercert.crt
| |
| | |
| Here is an additional resource with some good examples.
| |
| | |
| http://www.madboa.com/geek/openssl/#cert-self
| |
| ----------------------
| |
| | |
| ----------------------
| |
| ** NOTE - Some certificate providers, like GoDaddy for example, will also give you a chain file (also sometimes called intermediate file), dump it into the same servercert.pem like so:
| |
| | |
| cat /etc/pki/tls/private/localhost.key /etc/pki/tls/certs/localhost.crt /etc/pki/tls/certs/intermediate.crt > /var/qmail/control/servercert.pem
| |
| | |
| This will join all three of them: The key, signed certificate and the intermediate certificate. You can use the same certificate you have obtained for your Apache website.
| |
| -----------------------
| |
| | |
| # chown root:vchkpw /var/qmail/control/servercert.pem
| |
| # chmod 640 /var/qmail/control/servercert.pem
| |
| | |
| Note, in order to avoid verification errors in email clients (i.e. Outlook, Thunderbird, etc), you need to use the same server name (FQDN) in your client configuration(s) for both incoming (pop/imap) and outgoing (smtp) servers that was entered as the hostname when the certificate request was created. This should also be the same name that is used on the DNS MX record.
| |
| | |
| That's all there is to it. There is no need to restart qmail.
| |
| | |
| | |
| You can also use this signed certificate for apache by putting:
| |
| * '''servercert.key''' in '''/etc/pki/tls/private/localhost.key'''
| |
| * '''servercert.crt''' in '''/etc/pki/tls/certs/localhost.crt'''
| |
| Be sure to check your /etc/httpd/conf.d/ssl.conf file to be certain that the correct file names are specified, and that the corresponding parameters are not commented out.
| |
| | |
| You need to restart apache to activate the modified certificate configuration.
| |
| | |
| | |
| See [http://tldp.org/HOWTO/SSL-RedHat-HOWTO.html Building a Secure Redhat Apache Server HOWTO] for guidance with securing your Apache Server.
| |
| | |
| | |
| | |
| '''Self-signed ssl cert''' gleaned from the archives
| |
| | |
| | |
| Quick-n-dirty how-to for ssl certs
| |
| | |
| # cd /usr/share/ssl/certs
| |
| | |
| # make stunnel.pem
| |
|
| |
| # mv stunnel.pem /var/qmail/control/servercert.pem
| |
| | |
| Then run these commands to finish:
| |
| | |
| # cd /var/qmail/control
| |
| | |
| # chown root:qmail /var/qmail/control/servercert.pem
| |
| | |
| # chmod 644 /var/qmail/control/servercert.pem
| |
| | |
| # ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem
| |
| | |
| And that should take care of it for you...good till next year.
| |
| | |
| | |
| | |
| * Jake - I changed the link for the certs to [http://www.discountwebcerts.com/idev/idevaffiliate.php?id=135 DiscountWebCerts]. I've used them before and signed up for an affiliate account. When you purchase a cert from them, we earn 5% of the total sale. They offer single root certs (not chained certs like GoDaddy and others) and they're fast. I had my cert in literally 15 minutes.
| |
| | |
| * Jake - As a side note, I've used RegFly (RapidSSL) a couple times for SSL certs, and there is always an issue that requires helpdesk intervention (~24 hours). I have never had one work in the 5 minutes they advertise. Just be aware. I have been using [http://www.freessl.com/ssl-certificate-products/free-ssl/freessl.htm FreeSSL] during the wait periods. They offer a free 30-day certificate signed by a major CA that can be used until you get the other certificate straightened out, and they really do give you a cert in 5 minutes after the phone call verification.
| |
| | |
| * I recently tried this with RegFly and I have not been able to get the certificate from them nor a response from their support desk , nor my money back. I would advise people to avoid this company.
| |
| | |
| * Jake - I second this. I purchased a cert from them and have not received the cert nor my money refunded after 30 days of fighting with their support.
| |
| | |
| ----------------------
| |
| *NOTE - How to create an OUTLOOK certificate for import to avoid outlook certificate warnings:
| |
| # openssl pkcs12 -export -in servercert.crt -inkey servercert.key -out OutlookSMTP.p12
| |
| | |
| Then import the OutlookSMTP.p12 file into the Trusted Root Certification Authorities store within Internet Explorer (Tools -> Internet Options -> Content -> Certificates, or by just double-clicking it). You will then be free to establish an SSL connection within Outlook to enforce tighter security.
| |
| ----------------------
| |