CACert.org and OpenSSL howto for Apache, Courier IMAPS, etc. Forget self signed certs, with CACert.org, you can get a “free” SSL certificate. That will stop those annoying warnings in your browser about self signed certs.
Change into a directory where SSL certs are to be made.. (for this example I’ll be making my Courier IMAPS work nice!).. Oh ya, for this to work, I’m going to be root..
Now generate a key. (It goes without saying that where ever I use mail.myserver.com should be your full hostname or FQDM).
openssl genrsa -out mail.myserver.com.key 4096
Create a config file for OpenSSL to use. (You don’t have to do this but it saves typing a lot of the same information in.)
Paste this text in to the imapd.cnf file (changing what makes sense to change!)
RANDFILE = /usr/lib/courier/imapd.rand [ req ] default_bits = 4096 encrypt_key = yes distinguished_name = req_dn x509_extensions = cert_type prompt = no [ req_dn ] C=<Country Code> # eg: IE ST=<County> # eg: Co Dublin L=<Town> # eg: Sandyford O=<Company name> # eg: Widgets Ltd OU=<Department> # eg: IT Department CN=<hostname> # eg: mail.me.com emailAddress=<address> # eg: firstname.lastname@example.org [ cert_type ] nsCertType = server
Now generate your CSR (Certificate Signing Request) file.
openssl req -new -nodes -key mail.myserver.com.key -config imapd.cnf -out mail.myserver.com.csr
Have a peek at the CSR (Certificate Signing Request) file.. you’ll need to copy this to CACert.org’s application form text box.
It should look something like this…
-----BEGIN CERTIFICATE REQUEST----- MIIE7TCCAtUCAQAwgacxCzAJBgNVBAYTAklFMRIwEAYDVQQIEwlDbyBEdWJsaW4x EjAQBgNVBAcTCVNhbmR5Zm9yZDETMBEGA1UEChMKRmludGVsIEx0ZDEWMBQGA1UE CxMNSVQgRGVwYXJ0bWVudDEYMBYGA1UEAxMPbWFpbC5maW5kdWIuY29tMSkwJwYJ . . . sJfK4uH1XJpffJimUApbMdwDyIHwAe6nR1k6BNtN1FJMlzUGNGSGt0oEZ2oH2rtA 6+SyNlTwsD0htcJhYhkv8Xw= -----END CERTIFICATE REQUEST-----
Sign up with CACert.org
Once you’ve got an account, you will have to register an email address..
Then goto: Server Certificates -> New
Paste your CSR text into the textbox on this page..
The good folk at CACert.org will email you a link that you have to follow in order to issue a CRT file.. Then you have got the CRT file contents in your clipboard, paste them in to a file.
Save this file in the same directory the KEY and CSR file are..
Now we need to create a PEM file. This is simply the KEY and CRT file back to back with some Diffie-Hellman stuff at the end.
cat mail.myserver.com.key mail.myserver.com.crt > mail.myserver.com.pem
This generates Diffie-Hellman parameters, and appends them to the pem file.
openssl gendh >> mail.myserver.com.pem
Now make the lot safe.
chmod 400 mail.myserver.com.*
That is it.. now you have CACert signed SSL solution for use with either Apache, Courier IMAP, Postfix, etc.. any application that requires a CRT/PEM/KEY/CSR file combination to work.