CACert.org and OpenSSL howto

Posted on by

CACert.org and OpenSSL howto for Apache, Courier IMAPS, etc. Forget self signed certs, with CACert.org, you can get a “free” SSL certificate. That will stop those annoying warnings in your browser about self signed certs.

Change into a directory where SSL certs are to be made.. (for this example I’ll be making my Courier IMAPS work nice!).. Oh ya, for this to work, I’m going to be root..

cd /etc/courier/

Now generate a key. (It goes without saying that where ever I use mail.myserver.com should be your full hostname or FQDM).

openssl genrsa -out mail.myserver.com.key 4096

Create a config file for OpenSSL to use. (You don’t have to do this but it saves typing a lot of the same information in.)

vi imapd.cnf

Paste this text in to the imapd.cnf file (changing what makes sense to change!)

RANDFILE = /usr/lib/courier/imapd.rand

[ req ]
default_bits = 4096
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no

[ req_dn ]
C=<Country Code>		# eg: IE
ST=<County>			# eg: Co Dublin
L=<Town>			# eg: Sandyford
O=<Company name>		# eg: Widgets Ltd
OU=<Department>			# eg: IT Department
CN=<hostname>			# eg: mail.me.com
emailAddress=<address>		# eg: postmaster@mail.me.com

[ cert_type ]
nsCertType = server

Now generate your CSR (Certificate Signing Request) file.

openssl req -new -nodes -key mail.myserver.com.key -config imapd.cnf -out mail.myserver.com.csr

Have a peek at the CSR (Certificate Signing Request) file.. you’ll need to copy this to CACert.org’s application form text box.

It should look something like this…

-----BEGIN CERTIFICATE REQUEST-----
MIIE7TCCAtUCAQAwgacxCzAJBgNVBAYTAklFMRIwEAYDVQQIEwlDbyBEdWJsaW4x
EjAQBgNVBAcTCVNhbmR5Zm9yZDETMBEGA1UEChMKRmludGVsIEx0ZDEWMBQGA1UE
CxMNSVQgRGVwYXJ0bWVudDEYMBYGA1UEAxMPbWFpbC5maW5kdWIuY29tMSkwJwYJ
.
.
.
sJfK4uH1XJpffJimUApbMdwDyIHwAe6nR1k6BNtN1FJMlzUGNGSGt0oEZ2oH2rtA
6+SyNlTwsD0htcJhYhkv8Xw=
-----END CERTIFICATE REQUEST-----

Sign up with CACert.org

 

https://www.cacert.org/index.php?id=1

Once you’ve got an account, you will have to register an email address..

https://www.cacert.org/account.php?id=1

Then goto: Server Certificates -> New

https://www.cacert.org/account.php?id=10

Paste your CSR text into the textbox on this page..

The good folk at CACert.org will email you a link that you have to follow in order to issue a CRT file.. Then you have got the CRT file contents in your clipboard, paste them in to a file.

vi mail.myserver.com.crt

Save this file in the same directory the KEY and CSR file are..

Now we need to create a PEM file. This is simply the KEY and CRT file back to back with some Diffie-Hellman stuff at the end.

cat mail.myserver.com.key mail.myserver.com.crt > mail.myserver.com.pem

This generates Diffie-Hellman parameters, and appends them to the pem file.

openssl gendh >> mail.myserver.com.pem

Now make the lot safe.

chmod 400 mail.myserver.com.*

That is it.. now you have CACert signed SSL solution for use with either Apache, Courier IMAP, Postfix, etc.. any application that requires a CRT/PEM/KEY/CSR file combination to work.