Creating SSL Certificates signed by CA and pem files for courier, pure-ftpd

Discussion in 'Tips/Tricks/Mods' started by tio289, Dec 16, 2009.

  1. tio289

    tio289 Member

    Generate a server key and request for signing (csr).

    This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority.

    Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name (*, or the IP address you specify in your Apache configuration. If they don't match, client browsers will get a "domain mismatch" message when going to your https web server. If you're doing this for home use, and you don't have a static IP or DNS name, you might not even want worry about the message (but you sure will need to worry if this is a production/public server). For example, you could match it to an internal and static IP you use behind your router, so that you'll never get the "domain mismatch" message if you're accessing the computer on your home LAN, but will always get that message when accessing it elsewhere. Your call -- is your IP stable, do you want to repeat these steps every time your IP changes, do you have a DNS name, do you mainly use it inside your home or LAN, or outside?

    cd /etc/ssl/private/
    openssl genrsa -des3 -out server.key 4096
    openssl req -new -key server.key -out server.csr
    Them copy content of server.csr
    cat server.csr
    and paste to CA, which generate certificate on screen. Copy this output and paste to new file server.crt
    nano server.crt (vi server.crt)
    To examine the components if you're curious:

    openssl rsa -noout -text -in server.key
    openssl req -noout -text -in server.csr
    Make a server.key which doesn't cause Apache to prompt for a password.

    Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don't have to type in a password when restarting Apache (or worse -- coding it somewhere in plaintext), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully.

    mv server.key
    openssl rsa -in -out server.key
    These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you're not already sudo'd to root. I've found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything.

    Creating PEM files
    cat server.key server.crt > server.pem
    openssl gendh >> server.pem

    When we have created all this files, just it copy to right places.

    ispconfig ssl based host (/etc/apache2/sites-available/ispconfig.vhost):

    insert between <vitualhost></virtualhost>

     SSLEngine on
     SSLCertificateFile /etc/ssl/private/server.crt
     SSLCertificateKeyFile /etc/ssl/private/server.key
    Reload apache


    cp /etc/ssl/private/server.pem /etc/courier/imapd.pem
    cp /etc/ssl/private/server.pem /etc/courier/pop3d.pem
    Restart servicies courier-imap-ssl and courier-pop-ssl


    echo 1 > /etc/pure-ftpd/conf/TLS
    cp /etc/ssl/private/server.pem /etc/ssl/private/pure-ftpd.pem
    Restart service pure-ftpd-mysql

    postfix smtp

    cp /etc/ssl/private/server.crt /etc/postfix/smtpd.cert
    cp /etc/ssl/private/server.key /etc/postfix/smtpd.key
    Restart service postfix

    Renewing certificates before/after expiration

    rm /etc/ssl/private/server.crt
    rm /etc/ssl/private/server.pem
    3. In your CA just click to renew certificate, or if expire them create new from csr file. Copy certificate output from screen, paste to
    nano /etc/ssl/private/server.crt
    4. Create new PEM files
    5. Copy PEM files to courier and pure-ftpd (just cp, not echo)
    6. Copy server.crt and sever.key to postfix
    7. restart servicies

    Google document:
  2. LaKing

    LaKing New Member

    Hi folks.

    My CA is startSSL.

    I have managed to deal with certificates for apache, with the help of the httpd directives:
    (Optionally the SSLCACertificatPath can be used, with symbolic links of their hash, even for several CA's ...)

    I was reading that fore example pure-ftpd supports the following formatting:

    (Private Key)
    -----END RSA PRIVATE KEY-----
    (Primary SSL certificate)
    -----END CERTIFICATE-----
    (Intermediate certificate)
    -----END CERTIFICATE-----
    (Root certificate)
    -----END CERTIFICATE-----
    I created the pem file with this format, and it does not work when connecting with FileZilla, it asks if the certificate can be trusted.

    I use startSSL's ca.pem as root certificate, and as Intermediate certificate, which works fine for Apache.
    Last edited: Feb 12, 2011
  3. LaKing

    LaKing New Member

    # openssl verify -CApath /etc/pki/CA/certs server.crt 
    server.crt: OK
    Where that path contains a symbolic link to the file, named based on its hash.

    cat server.key server.crt ca.pem > server.pem
    Moving that file to pure-ftpd seems to work fine.

    It turned out that fileZilla does not really have CA certificates out of the box.
    Last edited: Feb 12, 2011

Share This Page