ssl certificate creation HowTo

Technical Tom ::10. March 2008, 12:54 Uhr :: Tags » :: 0 comments

Securing your web site or your MTA with SSL encryption (i.e. HTTPS traffic) can be a daunting task if you’ve never worked with it before. The following steps assume that you’ll be working from a Linux server running Apache web server and/or postfix.

To understand how the whole SSL encryption process works, check out this article here.

From the server you’re going to install the ssl certificate onto, do the following:

  • Create the SSL Certificate request
    • openssl req -new -nodes -keyout newkey.pem -out newreq.pem
      • this generates a new ssl certificate request, newreq.pem, and a new private key (unencrypted),newkey.pem. Default bits to create new private key is 1024
      • You’ll be prompted for several different bits of information, the most important one is the ‘common name’. You’ll want to make sure that it is the same as what you want clients to use when connecting to you over the Internet (i.e. www.myhost.com).
      • Don’t forget this part! make your private key file readable only by root, to keep it secure
  • You now need to take the cert request file (newreq.pem) and give it to a Certificate Authority (CA) and obtain a signed certificate from the CA in return. Depending on whether you administer the CA or your ISP does it, the end result should be that you’re left with a resulting certificate that is in PEM format. I won’t go into the details of how to do the CA side of things here – I’ll assume that you’re probably just going to copy and paste the newreq.pem file into a page on your ISP’s web site, upon which they’ll make a signed certificate available to you, i.e. newcert.pem.
  • Once you have the signed certificate, you need to place it in the appropriate location and make configuration changes to the software that is going to use it.
    • For example, if you were using the certificate for Apache for a web site you’re wanting clients to access over HTTPS:
      • in your httpd.conf file for the site you’re administering, you’d add [SSLCertificateFile /path/to/newcert.pem] (without brackets, they’re included from here on out for readability’s sake).
      • You have the option of including the private key within the newcert.pem file, by simply cat-ing it and appending to the file. But you can also keep them separate (my preference) and just add the following additional config line to httpd.conf [SSLCertificateKeyFile /path/to/newkey.pem].
      • You need to have a ‘lookup’ for the client connecting to your site, so their browser will know where to go to verify your certificate. The file used by default gets generated when you compile/install Apache. Just find it and copy it into the directory which holds your other keys and point to it with the following directive.
        [SSLCACertificateFile /path/to/ca-bundle.crt]. If you CA is not a publicly registered CA, it’s not going to be included in this file, and you’ll need to obtain the certificate for the CA and append it to this file. Generally this would be accomplished by your CA Admin providing you with a plain text file that you simply cat and append to this ca-bundle.txt file.
      • If your SSL signing authority delegates its signing authority to ‘subordinate CA’s, then you also may need a ‘Certificate Chain’ file, so that the connecting clients will know how to follow a CA’s authority up the ‘chain’ to the parent CA and verify your certificate that way. If you require a certificate chain file, your ISP will indicate it as part of their instructions for getting your certificate installed. To include it, you use the following directive [SSLCertificateChainFile /path/to/intermediate-bundle.crt].
      • There are a lot of other config options that are necessary for SSL, but there are plenty of examples for that out there. My purpose here is just to help you understand/implement the certificate piece of things. Now restart Apache and verify that you can connect to your web server over port 443 via HTTPS.
    • If instead, you were planning on using the certificate for, say, TLS connectivity with postfix:
      • copy all of your certs (private key, public certificate, CA certificate) into the /etc/postfix directory, or wherever else you want them to live.
      • modify your main.cf to contain [smtpd_tls_security_level = may] in order to enable ability to receive TLS encrypted traffic.
      • in main.cf, add [smtpd_tls_key_file = /etc/postfix/newkey.pem] to tell postfix what to use as the private key
      • in main.cf, add [smtpd_tls_cert_file = /etc/postfix/newcert.pem] to tell postfix what to use as the public cert
      • in main.cf, add [smtpd_tls_CAfile = /etc/postfix/cacert.pem] to tell postfix what to use as it’s list of trusted root CAs. If your cert was signed by a CA that is not included in this file, then you’ll need to append your CA’s cert to the end of this file.
      • in main.cf, add [smtp_tls_security_level = may] in order to tell postfix to utilize TLS if offered by the receiving server upon connecting (host will advertise STARTTLS).
      • set the settings for the smtp process to the same as those for smtpd, via the following: [smtp_tls_key_file = $smtpd_tls_key_file], [smtp_tls_cert_file = $smtpd_tls_cert_file], [smtp_tls_CAfile = $smtpd_tls_CAfile]
      • save main.cf and reload postfix.
  • If you wanted to check and make sure that you could connect to postfix over a TLS connection, the best way to test is like this:
    • openssl s_client -connect hostname:25 -starttls smtp
  • If you want to check SSL connectivity to your HTTPS secured web site, do it like this:
    • openssl s_client -connect hostname:443

No comments yet.

Write a comment:

(moderated, please be patient for your comment to appear)