Worked out in RedHat, but might work elsewhere. Caution, these are my partial recollections. Should test it again to make sure it works. Maybe when I reinstall the mail server… We work in /usr/share/ssl. Edit the openssl.cnf configuration file, modify dir in CA_default to /usr/share/ssl, and set the default place for new certs to $dir/certs. Change the defaults for countryName, etc., so that we won't have to type them in repeatedly. Touch /usr/share/ssl/index.txt, and echo '100001' into /usr/share/ssl/serial. We create a root certificate for our server. We don't really want to shell out money to a proper authority, right?
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem \
-out cacert.pem -days 3650 -config ./openssl.cnf
Now the root certificate consists of /usr/share/ssl/cacert.pem and /usr/share/ssl/private/cakey.pem; the first is the public part, which we can distribute to people who want to trust us. Now go to certs and create a request for the imapd certificate:
openssl req -new -nodes -out imapd-req.pem -keyout imapd-key.pem \
-days 3650 -config ../openssl.cnf
and actually get the certificate with
openssl ca -out imapd-cert.pem -config ../openssl.cnf \
-infiles imapd-req.pem
(-infiles must be last!) We'll need the passkey used to create the CA. Last, merge the imapd key and certificate into the final signed certificate: cat imapd-key.pem imapd-cert.pem > imapd.pem Should be all! Imapd knows to look for /usr/share/ssl/certs/imapd.pem. See also how to use these certificates in OS X… The same certificates can be used for Apache, but the .key files goes into /etc/httpd/conf/ssl.key/server.key; the .pem files goes into /etc/httpd/conf/ssl.crt/server.crt. Mmh… maybe /usr/share/ssl/misc/CA does all of the above? Big thanks go to the kind folks at flatmtn. |
sslcerts
(/linuxtricks)
2005-08-26, 00:47
[edit]