Generate a server key and request for signing (csr). This step creates a server key, and a request that you want it signed (the .csr file) by a Certificate Authority. Think carefully when inputting a Common Name (CN) as you generate the .csr file below. This should match the DNS name (*.domain.com), or the IP address you specify in your Apache configuration. If they don't match, client browsers will get a "domain mismatch" message when going to your https web server. If you're doing this for home use, and you don't have a static IP or DNS name, you might not even want worry about the message (but you sure will need to worry if this is a production/public server). For example, you could match it to an internal and static IP you use behind your router, so that you'll never get the "domain mismatch" message if you're accessing the computer on your home LAN, but will always get that message when accessing it elsewhere. Your call -- is your IP stable, do you want to repeat these steps every time your IP changes, do you have a DNS name, do you mainly use it inside your home or LAN, or outside? Code: cd /etc/ssl/private/ openssl genrsa -des3 -out server.key 4096 openssl req -new -key server.key -out server.csr Them copy content of server.csr Code: cat server.csr and paste to CA, which generate certificate on screen. Copy this output and paste to new file server.crt Code: nano server.crt (vi server.crt) To examine the components if you're curious: Code: openssl rsa -noout -text -in server.key openssl req -noout -text -in server.csr Make a server.key which doesn't cause Apache to prompt for a password. Here we create an insecure version of the server.key. The insecure one will be used for when Apache starts, and will not require a password with every restart of the web server. But keep in mind that while this means you don't have to type in a password when restarting Apache (or worse -- coding it somewhere in plaintext), it does mean that anyone obtaining this insecure key will be able to decrypt your transmissions. Guard it for permissions VERY carefully. Code: mv server.key server.key.secure openssl rsa -in server.key.secure -out server.key These files are quite sensitive and should be guarded for permissions very carefully. Chown them to root, if you're not already sudo'd to root. I've found that you can chmod 000 them. That is, root will always retain effective 600 (read) rights on everything. Creating PEM files Code: cat server.key server.crt > server.pem openssl gendh >> server.pem When we have created all this files, just it copy to right places. examples: ispconfig ssl based host (/etc/apache2/sites-available/ispconfig.vhost): insert between <vitualhost></virtualhost> Code: SSLEngine on SSLCertificateFile /etc/ssl/private/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key Reload apache courier Code: cp /etc/ssl/private/server.pem /etc/courier/imapd.pem cp /etc/ssl/private/server.pem /etc/courier/pop3d.pem Restart servicies courier-imap-ssl and courier-pop-ssl pure-ftpd Code: echo 1 > /etc/pure-ftpd/conf/TLS cp /etc/ssl/private/server.pem /etc/ssl/private/pure-ftpd.pem Restart service pure-ftpd-mysql postfix smtp Code: cp /etc/ssl/private/server.crt /etc/postfix/smtpd.cert cp /etc/ssl/private/server.key /etc/postfix/smtpd.key Restart service postfix Renewing certificates before/after expiration 1. Code: rm /etc/ssl/private/server.crt 2. Code: rm /etc/ssl/private/server.pem 3. In your CA just click to renew certificate, or if expire them create new from csr file. Copy certificate output from screen, paste to Code: nano /etc/ssl/private/server.crt 4. Create new PEM files 5. Copy PEM files to courier and pure-ftpd (just cp, not echo) 6. Copy server.crt and sever.key to postfix 7. restart servicies Google document: http://docs.google.com/View?id=dhp2k7sw_35gx9b5ffn
Hi folks. My CA is startSSL. I have managed to deal with certificates for apache, with the help of the httpd directives: Code: SSLCACertificateFile SSLCertificateChainFile (Optionally the SSLCACertificatPath can be used, with symbolic links of their hash, even for several CA's ...) I was reading that fore example pure-ftpd supports the following formatting: Code: -----BEGIN RSA PRIVATE KEY----- (Private Key) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Primary SSL certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Root certificate) -----END CERTIFICATE----- I created the pem file with this format, and it does not work when connecting with FileZilla, it asks if the certificate can be trusted. I use startSSL's ca.pem as root certificate, and sub.class2.server.ca.pem as Intermediate certificate, which works fine for Apache.
Code: # openssl verify -CApath /etc/pki/CA/certs server.crt server.crt: OK Where that path contains a symbolic link to the sub.class2.server.ca.pem file, named based on its hash. Code: cat server.key server.crt sub.class2.server.ca.pem ca.pem > server.pem Moving that file to pure-ftpd seems to work fine. It turned out that fileZilla does not really have CA certificates out of the box.
