On Fri, 15 Jun 2007, Marco Fioretti wrote:
Hello,
I am going to build an email server on Centos for a small, private group of users and I just want to encrypt all communications between that server and the (remote) email clients of those users (or they browsers, when they use webmail). Client certificates are not necessary, at least now.
I understand that to do that I need to create my own SSL CA, create with it a self signed certificate and key pair and make sure that the private key is not encrypted, so the server restarts unattended in case of a reboot.
You don't need a CA to create a single self-signed certificate.
Is this sequence of actions and commands correct and complete for my case, or not:
- cd /usr/share/ssl
- modify openssl.cnf to have your Common Name and other parameters
- run: ./CA -newca ./CA -newreq-nodes
- move the private key from the .pem file to a separate file
- put the cert and key file in a location where Postfix,
- Dovecot and Apache can all use them
- configure each of those servers to use the certificate
What have I missed?
1) Run
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
You'll for sure want to modify the -subj option in my example, and you might consider lengthening the -days as well so you don't have to rebuild the cert in one year.
Also, if you're doing this on a private server, you can keep the cert and the key in the same file. I'd just give it 0600 perms no matter where you put it.
Then confinue with your step #5.