CentOS - Jun 2007 - which commands do you use to SSL certify your own server?

Hello,

I am going to build an email server on Centos for a small,
private group of users and I just want to encrypt all
communications between that server and the (remote) email
clients of those users (or they browsers, when they use
webmail). Client certificates are not necessary, at least
now.

I understand that to do that I need to create my own SSL CA,
create with it a self signed certificate and key pair and make sure
that the private key is not encrypted, so the server restarts
unattended in case of a reboot.

I have already looked at man pages and a few online tutorials,
but frankly they are not clear on what to do to achieve all
and _only_ what I wrote above. Most documentation, when not
outdated, seems targeted at much more complex scenarions.

Is this sequence of actions and commands correct and complete
for my case, or not:

1) cd /usr/share/ssl
2) modify openssl.cnf to have your Common Name and other parameters
3) run:
      ./CA -newca
      ./CA -newreq-nodes
4) move the private key from the .pem file to a separate file
5) put the cert and key file in a location where Postfix,
6) Dovecot and Apache can all use them
7) configure each of those servers to use the certificate

What have I missed?

Thank you in advance for any feedback (I'll have access
to the server only over the weekend, but it would be great
to have this issue as clear as possible before starting...)

Marco

On Fri, 15 Jun 2007, Marco Fioretti wrote:
> Hello,
>
> I am going to build an email server on Centos for a small, private 
> group of users and I just want to encrypt all communications between 
> that server and the (remote) email clients of those users (or they 
> browsers, when they use webmail). Client certificates are not 
> necessary, at least now.
>
> I understand that to do that I need to create my own SSL CA, create 
> with it a self signed certificate and key pair and make sure that 
> the private key is not encrypted, so the server restarts unattended 
> in case of a reboot.
You don't need a CA to create a single self-signed certificate.
> Is this sequence of actions and commands correct and complete
> for my case, or not:
>
> 1) cd /usr/share/ssl
> 2) modify openssl.cnf to have your Common Name and other parameters
> 3) run:
>      ./CA -newca
>      ./CA -newreq-nodes
> 4) move the private key from the .pem file to a separate file
> 5) put the cert and key file in a location where Postfix,
> 6) Dovecot and Apache can all use them
> 7) configure each of those servers to use the certificate
>
> What have I missed?
1) Run

openssl req \
   -x509 -nodes -days 365 \
   -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
   -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

You'll for sure want to modify the -subj option in my example, and you 
might consider lengthening the -days as well so you don't have to 
rebuild the cert in one year.

Also, if you're doing this on a private server, you can keep the cert 
and the key in the same file. I'd just give it 0600 perms no matter 
where you put it.

Then confinue with your step #5.

-- 
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com

I have a strong aversion to re-inventing the wheel, so I usually use the 
  Makefile provided with the openssl package in RH/CentOS to create 
self-signed certs.  Under CentOS 5 it is located in /etc/pki/tls/certs, 
under CentOS 4 it is in /usr/share/ssl/certs.

First, change your working directory to the appropriate location and use 
the make command to create a .PEM file containing the key and 
certificate.  If you just run make with no parameters it will give you 
some quick help and show some examples of how to use it.

Most applications give you the option of keeping the key and certificate 
in the same file (like Apache), but you can break it up into separate 
key and certificate files if you need to either with a plain text editor 
or the openssl tools.

Your mileage may vary!
-- 
Jay Leafey - Memphis, TN
jay.leafey at mindless.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5177 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20070615/68da7442/attachment-0001.bin>

On Fri, Jun 15, 2007 15:21:31 PM -0500, Jay Leafey
(jay.leafey at mindless.com) wrote:
> I have a strong aversion to re-inventing the wheel,
Me too, unless when it's a hidden wheel. Fact is, this is the *first*
time I hear mention of this approach. See my original comments about
SSL being one of the worst (doc-wise) areas in FOSS... Thanks.

So, you confirm that "make server_and_key.pem" would do what I wrote
in the original message, self-signing and no key encryption included?
No big deal if key and server end up in the same file.

Thanks,
	Marco