Hello,
I am going to build an email server on Centos for a small, private group of users and I just want to encrypt all communications between that server and the (remote) email clients of those users (or they browsers, when they use webmail). Client certificates are not necessary, at least now.
I understand that to do that I need to create my own SSL CA, create with it a self signed certificate and key pair and make sure that the private key is not encrypted, so the server restarts unattended in case of a reboot.
I have already looked at man pages and a few online tutorials, but frankly they are not clear on what to do to achieve all and _only_ what I wrote above. Most documentation, when not outdated, seems targeted at much more complex scenarions.
Is this sequence of actions and commands correct and complete for my case, or not:
1) cd /usr/share/ssl 2) modify openssl.cnf to have your Common Name and other parameters 3) run: ./CA -newca ./CA -newreq-nodes 4) move the private key from the .pem file to a separate file 5) put the cert and key file in a location where Postfix, 6) Dovecot and Apache can all use them 7) configure each of those servers to use the certificate
What have I missed?
Thank you in advance for any feedback (I'll have access to the server only over the weekend, but it would be great to have this issue as clear as possible before starting...)
Marco
On Fri, 15 Jun 2007, Marco Fioretti wrote:
Hello,
I am going to build an email server on Centos for a small, private group of users and I just want to encrypt all communications between that server and the (remote) email clients of those users (or they browsers, when they use webmail). Client certificates are not necessary, at least now.
I understand that to do that I need to create my own SSL CA, create with it a self signed certificate and key pair and make sure that the private key is not encrypted, so the server restarts unattended in case of a reboot.
You don't need a CA to create a single self-signed certificate.
Is this sequence of actions and commands correct and complete for my case, or not:
- cd /usr/share/ssl
- modify openssl.cnf to have your Common Name and other parameters
- run: ./CA -newca ./CA -newreq-nodes
- move the private key from the .pem file to a separate file
- put the cert and key file in a location where Postfix,
- Dovecot and Apache can all use them
- configure each of those servers to use the certificate
What have I missed?
1) Run
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
You'll for sure want to modify the -subj option in my example, and you might consider lengthening the -days as well so you don't have to rebuild the cert in one year.
Also, if you're doing this on a private server, you can keep the cert and the key in the same file. I'd just give it 0600 perms no matter where you put it.
Then confinue with your step #5.
On Fri, Jun 15, 2007 06:32:42 AM -0700, Paul Heinlein
You don't need a CA to create a single self-signed certificate.
I see. Actually, this is just one of those things that is not clear at all from the online docs I found.
- cd /usr/share/ssl
- modify openssl.cnf to have your Common Name and other parameters
- run: ./CA -newca ./CA -newreq-nodes
- move the private key from the .pem file to a separate file
- put the cert and key file in a location where Postfix,
- Dovecot and Apache can all use them
- configure each of those servers to use the certificate
What have I missed?
- Run
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
this would be the one-command version of running CA -newreq -nodes, after placing the right values of C, ST, L, CN, etc... in openssl.cnf, right? Just to be sure that I have understood how all the pieces come from (as I said, I won't be able to play on the server before sunday...)
Still to be 100% sure of what we are saying: the command above self-signs keys and certificate and puts both of them in the mycert.pem file, correct?
Also, if you're doing this on a private server, you can keep the cert and the key in the same file.
I assume by "private" here you mean "a server which is only used by the members of a closed organization (business, charity, whatever...) but is not used as an ISP to the public", right?
I'd just give it 0600 perms no matter where you put it.
0600 and ownership root, of course?
Sorry for the repeated questions, but I must say that ssl is one of the fields where the available docs are less clear to non-professionals. It seems to take a lot of effort to just figure out which are the right questions to ask...
Thanks again in advance for any feedback,
Marco
On Fri, 15 Jun 2007, M. Fioretti wrote:
- Run
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
this would be the one-command version of running CA -newreq -nodes, after placing the right values of C, ST, L, CN, etc... in openssl.cnf, right?
Right.
Still to be 100% sure of what we are saying: the command above self-signs keys and certificate and puts both of them in the mycert.pem file, correct?
Right.
Also, if you're doing this on a private server, you can keep the cert and the key in the same file.
I assume by "private" here you mean "a server which is only used by the members of a closed organization (business, charity, whatever...) but is not used as an ISP to the public", right?
Right. I use "private" in the sense of "I trust that users with login privileges to this machine won't abuse it or intentionally try to access data that's off-limits to them."
I'd just give it 0600 perms no matter where you put it.
0600 and ownership root, of course?
Yes.
Sorry for the repeated questions, but I must say that ssl is one of the fields where the available docs are less clear to non-professionals. It seems to take a lot of effort to just figure out which are the right questions to ask...
I agree whole-heartedly. Building and maintaining an infrastructure to support SSL-enabled applications is a daunting task, and quite different from learning SSL programming or theory. Anyone looking to write for O'Reilly could probably pitch such a title! :-)
I have a strong aversion to re-inventing the wheel, so I usually use the Makefile provided with the openssl package in RH/CentOS to create self-signed certs. Under CentOS 5 it is located in /etc/pki/tls/certs, under CentOS 4 it is in /usr/share/ssl/certs.
First, change your working directory to the appropriate location and use the make command to create a .PEM file containing the key and certificate. If you just run make with no parameters it will give you some quick help and show some examples of how to use it.
Most applications give you the option of keeping the key and certificate in the same file (like Apache), but you can break it up into separate key and certificate files if you need to either with a plain text editor or the openssl tools.
Your mileage may vary!
On Fri, Jun 15, 2007 15:21:31 PM -0500, Jay Leafey (jay.leafey@mindless.com) wrote:
I have a strong aversion to re-inventing the wheel,
Me too, unless when it's a hidden wheel. Fact is, this is the *first* time I hear mention of this approach. See my original comments about SSL being one of the worst (doc-wise) areas in FOSS... Thanks.
So, you confirm that "make server_and_key.pem" would do what I wrote in the original message, self-signing and no key encryption included? No big deal if key and server end up in the same file.
Thanks, Marco
M. Fioretti wrote:
On Fri, Jun 15, 2007 15:21:31 PM -0500, Jay Leafey (jay.leafey@mindless.com) wrote:
I have a strong aversion to re-inventing the wheel,
Me too, unless when it's a hidden wheel. Fact is, this is the *first* time I hear mention of this approach. See my original comments about SSL being one of the worst (doc-wise) areas in FOSS... Thanks.
# *openssl genrsa -out /etc/ssl/private/server.key 1024*
# *openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr*
# *openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \ -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt*
perhaps change the directories to match whatever your given apache version is running.
my apache dirs at present are like: /usr/local/apache/conf/ssl/
but the stock httpd on centos may be different, you get the idea though.
reading the existing centos scripts is fun too.
**
So, you confirm that "make server_and_key.pem" would do what I wrote in the original message, self-signing and no key encryption included? No big deal if key and server end up in the same file.
Thanks, Marco _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Fri, Jun 15, 2007 17:14:55 PM -0700, Karl R. Balsmeier (karl@klxsystems.net) wrote:
# *openssl genrsa -out /etc/ssl/private/server.key 1024*
# *openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr*
# *openssl x509 -req -days 365 -in /etc/ssl/private/server.csr \ -signkey /etc/ssl/private/server.key -out /etc/ssl/server.crt*
Where should the -nodes option go with this approach? Only in the first command?
Now, let's compare this with the one-command solution that Paul provided, please:
openssl req \ -x509 -nodes -days 365 \ -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \ -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
If I _am_ starting to figure this out, the only differences are that:
- Paul passed all the options on the command line in -subj, Karl assumes they are in openssl.cnf
- Karl places keys and certificate in _separate_ files (as I had originally asked), so he needs 3 commands instead of one: the first creates the key, the second an unsigned certificate in /etc/ssl/private/server.csr, the third signs that certificate with the key and puts the signed version in /etc/ssl/server.crt
Is this explanation correct?
Yes, I'm being verbose and I'm nitpicking, but since we all agreed there is no decent documentation on these basic issues (*), we can say we're writing it now, aren't we?
Thanks again for your time and patience,
Marco
(*) For the record, I asked the same question on the openssl-users list before coming here, but am still waiting for any answer on that front...
-
Jay Leafey -
Karl R. Balsmeier -
M. Fioretti -
Marco Fioretti
-
Paul Heinlein