[CentOS] which commands do you use to SSL certify your own server?

Fri Jun 15 13:32:42 UTC 2007
Paul Heinlein <heinlein at madboa.com>

On Fri, 15 Jun 2007, Marco Fioretti wrote:

> Hello,
>
> I am going to build an email server on Centos for a small, private 
> group of users and I just want to encrypt all communications between 
> that server and the (remote) email clients of those users (or they 
> browsers, when they use webmail). Client certificates are not 
> necessary, at least now.
>
> I understand that to do that I need to create my own SSL CA, create 
> with it a self signed certificate and key pair and make sure that 
> the private key is not encrypted, so the server restarts unattended 
> in case of a reboot.

You don't need a CA to create a single self-signed certificate.

> Is this sequence of actions and commands correct and complete
> for my case, or not:
>
> 1) cd /usr/share/ssl
> 2) modify openssl.cnf to have your Common Name and other parameters
> 3) run:
>      ./CA -newca
>      ./CA -newreq-nodes
> 4) move the private key from the .pem file to a separate file
> 5) put the cert and key file in a location where Postfix,
> 6) Dovecot and Apache can all use them
> 7) configure each of those servers to use the certificate
>
> What have I missed?

1) Run

openssl req \
   -x509 -nodes -days 365 \
   -subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
   -newkey rsa:1024 -keyout mycert.pem -out mycert.pem

You'll for sure want to modify the -subj option in my example, and you 
might consider lengthening the -days as well so you don't have to 
rebuild the cert in one year.

Also, if you're doing this on a private server, you can keep the cert 
and the key in the same file. I'd just give it 0600 perms no matter 
where you put it.

Then confinue with your step #5.

-- 
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com