Re: Generating SSL Certificates for Email Clients to get rid of the Self Sign Error on FC3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Howarth wrote:
Thomas Cameron wrote:
Paul Howarth wrote:
The approach I use to to create my own CA certificate and key and then use that to sign the SSL certificates for all of my servers (e.g. SMTP, IMAP, Web). At the client side, it's only necessary then to import the CA certificate and everything just works.

Paul.

Paul -

How did you do that? I mean make the CA cert? The Dovecot and Sendmail (in my case) certs are well documented, but I would love to know how you generated your own CA certificate under FC.

The gist of it is:

1. Go to directory /etc/pki/tls/certs
2. Copy ../openssl.cnf to (say) mycompany.cnf and edit it to suit your needs, for instance:

$ diff ../openssl.cnf mycompany.cnf
37c37
< dir           = ../../CA              # Where everything is kept
---
 > dir           = mycompany-ca          # Where everything is kept
68c68
< default_days  = 365                   # how long to certify for
---
 > default_days  = 3650                  # how long to certify for
133c133
< stateOrProvinceName_default   = Berkshire
---
 > stateOrProvinceName_default   = My State
136c136
< localityName_default          = Newbury
---
 > localityName_default          = My Locality
139c139
< 0.organizationName_default    = My Company Ltd
---
 > 0.organizationName_default    = My Organisation

3. Create directory infrastructure for openssl to manage the certificates:

mkdir -p mycompany-ca/newcerts
echo 01 > mycompany-ca/serial
touch mycompany-ca/index.txt

4. Create the CA certificate and key:

(
        echo ""
        echo ""
        echo ""
        echo ""
        echo "CA"
        echo "My Name"
        echo "myemail@xxxxxxxxxxx"
) | openssl req -config mycompany.cnf -new -x509 \
        -passout pass:topsecretpassword \
        -text \
        -keyout mycompany-ca.key \
        -out mycompany-ca.crt \
        -days 3650
chmod 600 mycompany-ca.key

5. Make a hash link for your CA if necessary:

ln -s mycompany-ca.crt $(openssl x509 -noout -hash < mycompany-ca.crt).0

6. You can then make individual keys and certificates for each of your applications, all signed using your new CA. For instance, for a web server:

(
        echo ""
        echo ""
        echo ""
        echo ""
        echo "Web Server"
        echo "www.example.com"
        echo "webmaster@xxxxxxxxxxx"
        echo "topsecretpassword"
        echo "example.com"
) | openssl req -config mycompany.cnf -new -nodes \
        -text \
        -keyout mycompany-web.key \
        -out mycompany-web.key \
        -days 3650
openssl ca -config mycompany.cnf -batch \
        -policy policy_anything \
        -passin pass:topsecretpassword \
        -keyfile mycompany-ca.key \
        -cert mycompany-ca.crt \
        -out mycompany-web.crt \
        -infiles mycompany-web.key
chmod 600 mycompany-web.key


Obviously in all of the above change "mycompany", "example.com", "topsecretpassword", "My Name" etc. to values appropriate to you.

If you want to see what each of the response fields (the echo commands in parentheses in the commands above) are for, just run the openssl command directly without piping input into it and enter your responses to the prompts at the keyboard.

Paul.


Thanks, Paul!  That is exactly what I was hoping for!

TC


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux