tio289
16th December 2009, 09:47
Generate a server key and request for signing (csr).
This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority.
Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name (*.domain.com), or the IP address you specify in your Apache configuration. If they don't match, client browsers will get a "domain mismatch" message when going to your https web server. If you're doing this for home use, and you don't have a static IP or DNS name, you might not even want worry about the message (but you sure will need to worry if this is a production/public server). For example, you could match it to an internal and static IP you use behind your router, so that you'll never get the "domain mismatch" message if you're accessing the computer on your home LAN, but will always get that message when accessing it elsewhere. Your call -- is your IP stable, do you want to repeat these steps every time your IP changes, do you have a DNS name, do you mainly use it inside your home or LAN, or outside?
cd /etc/ssl/private/
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
Them copy content of server.csr cat server.csr and paste to CA, which generate certificate on screen. Copy this output and paste to new file server.crt nano server.crt (vi server.crt)
To examine the components if you're curious:
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
Make a server.key which doesn't cause Apache to prompt for a password.
Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don't have to type in a password when restarting Apache (or worse -- coding it somewhere in plaintext), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully.
mv server.key server.key.secure
openssl rsa -in server.key.secure -out server.key
These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you're not already sudo'd to root. I've found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.
Creating PEM files
cat server.key server.crt > server.pem
openssl gendh >> server.pem
When we have created all this files, just it copy to right places.
examples:
ispconfig ssl based host (/etc/apache2/sites-available/ispconfig.vhost):
insert between <vitualhost></virtualhost>
SSLEngine on
SSLCertificateFile /etc/ssl/private/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
Reload apache
courier
cp /etc/ssl/private/server.pem /etc/courier/imapd.pem
cp /etc/ssl/private/server.pem /etc/courier/pop3d.pem
Restart servicies courier-imap-ssl and courier-pop-ssl
pure-ftpd
echo 1 > /etc/pure-ftpd/conf/TLS
cp /etc/ssl/private/server.pem /etc/ssl/private/pure-ftpd.pem
Restart service pure-ftpd-mysql
postfix smtp
cp /etc/ssl/private/server.crt /etc/postfix/smtpd.cert
cp /etc/ssl/private/server.key /etc/postfix/smtpd.key
Restart service postfix
Renewing certificates before/after expiration
1. rm /etc/ssl/private/server.crt
2. rm /etc/ssl/private/server.pem
3. In your CA just click to renew certificate, or if expire them create new from csr file. Copy certificate output from screen, paste to nano /etc/ssl/private/server.crt
4. Create new PEM files
5. Copy PEM files to courier and pure-ftpd (just cp, not echo)
6. Copy server.crt and sever.key to postfix
7. restart servicies
Google document:
http://docs.google.com/View?id=dhp2k7sw_35gx9b5ffn
This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority.
Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name (*.domain.com), or the IP address you specify in your Apache configuration. If they don't match, client browsers will get a "domain mismatch" message when going to your https web server. If you're doing this for home use, and you don't have a static IP or DNS name, you might not even want worry about the message (but you sure will need to worry if this is a production/public server). For example, you could match it to an internal and static IP you use behind your router, so that you'll never get the "domain mismatch" message if you're accessing the computer on your home LAN, but will always get that message when accessing it elsewhere. Your call -- is your IP stable, do you want to repeat these steps every time your IP changes, do you have a DNS name, do you mainly use it inside your home or LAN, or outside?
cd /etc/ssl/private/
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
Them copy content of server.csr cat server.csr and paste to CA, which generate certificate on screen. Copy this output and paste to new file server.crt nano server.crt (vi server.crt)
To examine the components if you're curious:
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
Make a server.key which doesn't cause Apache to prompt for a password.
Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don't have to type in a password when restarting Apache (or worse -- coding it somewhere in plaintext), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully.
mv server.key server.key.secure
openssl rsa -in server.key.secure -out server.key
These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you're not already sudo'd to root. I've found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.
Creating PEM files
cat server.key server.crt > server.pem
openssl gendh >> server.pem
When we have created all this files, just it copy to right places.
examples:
ispconfig ssl based host (/etc/apache2/sites-available/ispconfig.vhost):
insert between <vitualhost></virtualhost>
SSLEngine on
SSLCertificateFile /etc/ssl/private/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
Reload apache
courier
cp /etc/ssl/private/server.pem /etc/courier/imapd.pem
cp /etc/ssl/private/server.pem /etc/courier/pop3d.pem
Restart servicies courier-imap-ssl and courier-pop-ssl
pure-ftpd
echo 1 > /etc/pure-ftpd/conf/TLS
cp /etc/ssl/private/server.pem /etc/ssl/private/pure-ftpd.pem
Restart service pure-ftpd-mysql
postfix smtp
cp /etc/ssl/private/server.crt /etc/postfix/smtpd.cert
cp /etc/ssl/private/server.key /etc/postfix/smtpd.key
Restart service postfix
Renewing certificates before/after expiration
1. rm /etc/ssl/private/server.crt
2. rm /etc/ssl/private/server.pem
3. In your CA just click to renew certificate, or if expire them create new from csr file. Copy certificate output from screen, paste to nano /etc/ssl/private/server.crt
4. Create new PEM files
5. Copy PEM files to courier and pure-ftpd (just cp, not echo)
6. Copy server.crt and sever.key to postfix
7. restart servicies
Google document:
http://docs.google.com/View?id=dhp2k7sw_35gx9b5ffn