Welcome to http://www.marssoft.de/
 
Tuesday, 11th December 2018 21:44:41 (GMT+1) 

SSL und VirtualHosts

auf der Wikipedia TLS-Seite wird ganz nett erklärt, wieso bisher nur ein SSLCert pro IP-Adresse verwendet werden kann…

solange die TLS 1.2 Spezifikation noch auf sich warten lässt, könnte man mal einen Blick hierauf werfen:

signierte SSL-Zertifikate…

  • http://www.cacert.org/: community driven Certificate Authority that issues certificates to the public at large for free

Becoming your own CA

Generate Root Certificate

I have an openssl-config file at /root/CA/ that has several good default values for setting up new certificates.

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \
   -out cacert.pem -days 3650 -config ./openssl.cnf

This process produces two files as output:

  • A private key in private/cakey.pem
  • A root CA certificate in cacert.pem

Generate a Certificate Signing Request

openssl req -new -nodes -out req.pem -config ./openssl.cnf
Generating a 1024 bit RSA private key
...............................++++++
........++++++
writing new private key to 'key.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Organization Name (company) [Private]:
Organizational Unit Name (department, division) []:
Email Address []:root@emmenlauer.de
Locality Name (city, district) [Freiburg]:
State or Province Name (full name) [Baden-Wuerttemberg]:
Country Name (2 letter code) [DE]:
Common Name (hostname, IP, or your name) []:emmenlauer.de

This process produces two files as output:

  • A private key in key.pem
  • A certificate signing request in req.pem

Signing a Certificate

openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
Using configuration from ./openssl.cnf
Enter pass phrase for ./private/cakey.pem:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
organizationName      :PRINTABLE:'Private'
localityName          :PRINTABLE:'Freiburg'
stateOrProvinceName   :PRINTABLE:'Baden-Wuerttemberg'
countryName           :PRINTABLE:'DE'
commonName            :PRINTABLE:'emmenlauer.de'
Certificate is to be certified until Oct 27 23:08:50 2010 GMT (1424 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

This process updates the CA database, and produces two files as output:

  • A certificate in cert.pem
  • A copy of the certificate in newcerts/<serial>.pem

Distributing key and certificate

chmod 600 req.pem key.pem
chmod 644 cert.pem

mv mail-cert.pem /etc/ssl/certs/emmenlauer.de-mail-cert.pem
mv mail-key.pem /etc/ssl/private/emmenlauer.de-mail-key.pem

ln -s /etc/ssl/certs/emmenlauer.de-mail-cert.pem mail-cert.pem
ln -s /etc/ssl/private/emmenlauer.de-mail-key.pem mail-key.pem

Hint:

Debian exim is not part of the group 'ssl-cert', and can therefore not read the private key file. Add it to the group to change this. Dovecot seems to run as root when reading key files, and therefore does not care.

internal/server/sslcert.txt · Last modified: 2014/04/02 22:39 (external edit)