straight dope on SSL certs?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



My self-signed SSL certificates (for Postfix & Cyrus-IMAP) have just expired and so I'm faced with once again trying to decipher (heh) the multitude of instructions for setting this up. I still have my notes from a year ago but, though everything's been working fine (AFAIK), I'm not convinced that what I'm doing is correct. I've read many tutorials online but each one seems to confuse the issue further.

For one thing, before I'd even started, I'd found some cert files already existed. I believe they were set up by the Apache rpm. In any case, I just ignored them, as I'm not currently using SSL through Apache. I probably will want to use it in the future, however I don't at all understand how/why these already exist, as they couldn't possibly contain the correct information (commonName, organizationName, etc).

So, anyway ... I'd like to create new certs and, at the same time, clear out some of the deadwood under the /etc/pki tree and attempt to get all of this into proper order.

This is my current setup:

/etc/postfix/main.cnf:
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_cert_file = /etc/pki/postfix/newcert.pem
smtpd_tls_key_file = /etc/pki/postfix/newkey.pem

/etc/imapd.conf:
tls_ca_file: /etc/pki/tls/certs/cacert.pem
tls_cert_file: /etc/pki/cyrus-imapd/newcert.pem
tls_key_file: /etc/pki/cyrus-imapd/newkey.pem

I have no idea what I was thinking when putting these in separate directories. I assume that's a redundancy I can do without.

/etc/httpd/conf.d/ssl.conf:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Here, localhost.crt and localhost.key were created by something other than myself. I have no idea what they're good for, if not self-signed. However, I'm guessing that I could probably create a cert/key.pem pair and use them for Postfix, Cyrus, and Apache. Note, though, that the httpd versions are not PEMs, so that's another source of confusion.

This is from my notes for Postfix/Cyrus:

-- snip --
# cd /etc/pki/tls/misc
./CA_noDES -newca
[creates key file in /etc/pki/CA/private/cakey.pem]

./CA_noDES -newreq
[creates newkey.pem & newreq.pem]

./CA_noDES -sign
[creates /etc/pki/CA/cacert.pem]

ADD THE PRIVATE KEY
# cat /etc/pki/CA/private/cakey.pem

copy this into:
# vi /etc/pki/CA/cacert.pem

# cp /etc/pki/CA/cacert.pem /etc/pki/tls/certs/
-- snip --


Could/should I simply use the above instructions to create:

/etc/pki/tls/certs/localhost.crt.pem
/etc/pki/tls/private/localhost.key.pem

... and use these for all 3 apps?

Also, I'm not really clear (surprise, surprise) on the purpose of the last line. Why should I copy cacert.pem from one directory to another? I understand that the CA dir is readbale only by root. However, by copying the file elsewhere, that security seems superfluous.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux