Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 16th December 2009, 10:47
tio289 tio289 is offline
Member
 
Join Date: Mar 2009
Posts: 70
Thanks: 2
Thanked 14 Times in 9 Posts
Cool Creating SSL Certificates signed by CA and pem files for courier, pure-ftpd

Generate a server key and request for signing (csr).

This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority.

Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name (*.domain.com), or the IP address you specify in your Apache configuration. If they don't match, client browsers will get a "domain mismatch" message when going to your https web server. If you're doing this for home use, and you don't have a static IP or DNS name, you might not even want worry about the message (but you sure will need to worry if this is a production/public server). For example, you could match it to an internal and static IP you use behind your router, so that you'll never get the "domain mismatch" message if you're accessing the computer on your home LAN, but will always get that message when accessing it elsewhere. Your call -- is your IP stable, do you want to repeat these steps every time your IP changes, do you have a DNS name, do you mainly use it inside your home or LAN, or outside?

Code:
cd /etc/ssl/private/
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
Them copy content of server.csr
Code:
cat server.csr
and paste to CA, which generate certificate on screen. Copy this output and paste to new file server.crt
Code:
nano server.crt (vi server.crt)
To examine the components if you're curious:

Code:
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
Make a server.key which doesn't cause Apache to prompt for a password.

Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don't have to type in a password when restarting Apache (or worse -- coding it somewhere in plaintext), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully.

Code:
mv server.key server.key.secure
openssl rsa -in server.key.secure -out server.key
These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you're not already sudo'd to root. I've found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.

Creating PEM files
Code:
cat server.key server.crt > server.pem
openssl gendh >> server.pem

When we have created all this files, just it copy to right places.
examples:


ispconfig ssl based host (/etc/apache2/sites-available/ispconfig.vhost):

insert between <vitualhost></virtualhost>

Code:
 SSLEngine on
 SSLCertificateFile /etc/ssl/private/server.crt
 SSLCertificateKeyFile /etc/ssl/private/server.key
Reload apache

courier

Code:
cp /etc/ssl/private/server.pem /etc/courier/imapd.pem
cp /etc/ssl/private/server.pem /etc/courier/pop3d.pem
Restart servicies courier-imap-ssl and courier-pop-ssl

pure-ftpd

Code:
echo 1 > /etc/pure-ftpd/conf/TLS
cp /etc/ssl/private/server.pem /etc/ssl/private/pure-ftpd.pem
Restart service pure-ftpd-mysql

postfix smtp

Code:
cp /etc/ssl/private/server.crt /etc/postfix/smtpd.cert
cp /etc/ssl/private/server.key /etc/postfix/smtpd.key
Restart service postfix

Renewing certificates before/after expiration


1.
Code:
rm /etc/ssl/private/server.crt
2.
Code:
rm /etc/ssl/private/server.pem
3. In your CA just click to renew certificate, or if expire them create new from csr file. Copy certificate output from screen, paste to
Code:
nano /etc/ssl/private/server.crt
4. Create new PEM files
5. Copy PEM files to courier and pure-ftpd (just cp, not echo)
6. Copy server.crt and sever.key to postfix
7. restart servicies

Google document:
http://docs.google.com/View?id=dhp2k7sw_35gx9b5ffn
Reply With Quote
The Following 3 Users Say Thank You to tio289 For This Useful Post:
falko (17th December 2009), giftsnake (19th December 2009), till (16th December 2009)
Sponsored Links
  #2  
Old 12th February 2011, 14:46
LaKing LaKing is offline
Junior Member
 
Join Date: Aug 2010
Posts: 13
Thanks: 0
Thanked 3 Times in 2 Posts
Default

Hi folks.

My CA is startSSL.

I have managed to deal with certificates for apache, with the help of the httpd directives:
Code:
SSLCACertificateFile
SSLCertificateChainFile
(Optionally the SSLCACertificatPath can be used, with symbolic links of their hash, even for several CA's ...)

I was reading that fore example pure-ftpd supports the following formatting:

Code:
-----BEGIN RSA PRIVATE KEY-----
(Private Key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root certificate)
-----END CERTIFICATE-----
I created the pem file with this format, and it does not work when connecting with FileZilla, it asks if the certificate can be trusted.

I use startSSL's ca.pem as root certificate, and sub.class2.server.ca.pem as Intermediate certificate, which works fine for Apache.

Last edited by LaKing; 12th February 2011 at 18:25.
Reply With Quote
  #3  
Old 12th February 2011, 17:43
LaKing LaKing is offline
Junior Member
 
Join Date: Aug 2010
Posts: 13
Thanks: 0
Thanked 3 Times in 2 Posts
 
Default

Code:
# openssl verify -CApath /etc/pki/CA/certs server.crt 
server.crt: OK
Where that path contains a symbolic link to the sub.class2.server.ca.pem file, named based on its hash.

Code:
cat server.key server.crt sub.class2.server.ca.pem ca.pem > server.pem
Moving that file to pure-ftpd seems to work fine.

It turned out that fileZilla does not really have CA certificates out of the box.

Last edited by LaKing; 12th February 2011 at 18:24.
Reply With Quote
The Following User Says Thank You to LaKing For This Useful Post:
feeninuoumn (24th December 2013)
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 23:31.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.