OpenSSL: Generating Server Certificates
Contents
1. Overview
OpenSSL is an open source package provided with Fedora for creating server certificates. This tutorial explains how to create an SSL certificate and use it within Apache, Postfix and Dovecot.
This tutorial does not go into detail on the advanced features of OpenSSL, instead focuses on creating and using a certificate. If you would like to learn more on OpenSSL, see section 4. References at the bottom of this page.
2. Generating the Certificate
The following sub-sections explain how to create the SSL certificate.
2.1. Generate the RSA Key
You can generate a DSA key by replacing the genrsa option with gendsa, however RSA is used in most situations due to compatibility reasons.
openssl genrsa 1024 > server.key
chmod 400 server.key
You must protect the file with 'chmod 400' as anyone who obtains the server.key file will be able to decrypt the traffic encrypted with the key.
2.2. Creating the Certificate
The command for creating a new unencrypted certificate is:
openssl req -new -x509 -nodes -sha1 -days 365 -key server.key > server.crt
The '-days 365' specifies how long the certificate will be valid for, starting from the date on which it was created.
OpenSSL will then prompt you for information for the certificate:
Country Name (2 letter code) [UK]: UK State or Province Name (full name) [Some-State]: State Locality Name (eg, city) []: City Organization Name (eg, company) [Internet Widgits Pty Ltd]: OrgName Organizational Unit Name (eg, section) []: IT Dept Common Name (eg, YOUR name) []: www.hostname.com Email Address []: webmaster@hostname.com
The new server.crt file does not need to be protected as this is needed to validate the key on the server. If you want your key to be approved by a certificate authority (CA), this is the file you will need to send.
2.3. Combining the Key and Certificate Data
This is required by certain applications, in this case, Apache and Dovecot can both use the combined file.
cat server.crt server.key > server.pem
chmod 400 server.pem
This is the file we will reference in the configuration of Apache, Postfix and Dovecot.
3. Configuring Apache, Dovecot and Postfix
The following section explains how to configure Apache, Dovecot and Postfix to use the new server certificate you created in section 2.
3.1. Apache
The ssl.conf file specifies the server certificate to use, it may be located differently on your system, for Fedora you should find it in /etc/httpd/conf.d/ssl.conf.
Open the file in a text editor and locate the lines containing 'SSLCertificateFile' and 'SSLCertificateKeyFile'. Add the path to the server.pem file to these:
SSLCertificateFile /etc/ssl/server.pem
SSLCertificateKeyFile /etc/ssl/server.pem
Save the file and restart Apache with:
service httpd restart
All pages served via HTTPS (port 443) will now use that certificate.
3.2. Dovecot
Open the 'dovecot.conf' file, this should be located in /etc.
If the lines are already present, amend them, otherwise add the lines:
ssl_cert_file = /etc/ssl/server.pem
ssl_key_file = /etc/ssl/server.pem
Save the file and restart dovecot with:
service dovecot restart
Dovecot should now start using the new certificate for SSL connections.
3.3. Postfix
Open the main.cf file located in /etc/postfix. Locate the lines that contain 'smtpd_tls_cert_file' and 'ssl_tls_key_file'. Make the changes below to enable TLS.
smtpd_use_tld = yes
smtpd_tls_key_file = /etc/ssl/server.pem
smtpd_tls_cert_file = /etc/ssl/server.pem
Save the file, the remaining default options should work fine.
4. References
