Certificate

Security Certificate

To configure a SSL certificate for TLS and/or SSL over SMTP:

1. Abstract: Create Certificate

   Generate key

   Generate signing request

   Sign the key

   Create server certificate

   Set permission

   Set owner

   Copy into place

   Restart services

   1. Self-Signed Certificate

      #openssl genrsa -out x.key 2048

      #openssl req -new -key x.key -out x.csr

      #openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt

      #cat x.crt x.key > servercert.pem

      #chmod 644 servercert.pem

      #chown root:qmail servercert.pem

      #cp -p servercert.pem /var/qmail/control

   2. Let's Encrypt CentOS 7/8 (Automatic, assumes working web server)

      #yum install python-certbot-apache

      #certbot -apache -d mydomain.com -d mail.mydomain.com

      Add to Apache Virtual

      1. SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
      2. SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
      3. SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem

      Add to Dovecot

      1. ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
      2. ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem

      Add to Qmail

      1. #cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
      2. #cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem

      Springdale, Rocky, Alma Linux 9 may need the private key last

      1. cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem

      Let's Encrypt auto renewal

      Add to cron nightly renew of certs (These certificates expire every 3 months)

      1. 0 0 * * * /opt/certbot/certbot-auto renew #CentOS 6
      2. 0 0 * * * /opt/certbot/certbot renew #CentOS 7