Generating SSL Certificates for Email Clients to get rid of the Self Sign Error on FC3
Thomas Cameron
thomas.cameron at camerontech.com
Thu Sep 28 14:58:37 UTC 2006
Paul Howarth wrote:
> Thomas Cameron wrote:
>> Paul Howarth wrote:
>>> The approach I use to to create my own CA certificate and key and
>>> then use that to sign the SSL certificates for all of my servers
>>> (e.g. SMTP, IMAP, Web). At the client side, it's only necessary then
>>> to import the CA certificate and everything just works.
>>>
>>> Paul.
>>
>> Paul -
>>
>> How did you do that? I mean make the CA cert? The Dovecot and
>> Sendmail (in my case) certs are well documented, but I would love to
>> know how you generated your own CA certificate under FC.
>
> The gist of it is:
>
> 1. Go to directory /etc/pki/tls/certs
> 2. Copy ../openssl.cnf to (say) mycompany.cnf and edit it to suit your
> needs, for instance:
>
> $ diff ../openssl.cnf mycompany.cnf
> 37c37
> < dir = ../../CA # Where everything is kept
> ---
> > dir = mycompany-ca # Where everything is kept
> 68c68
> < default_days = 365 # how long to certify for
> ---
> > default_days = 3650 # how long to certify for
> 133c133
> < stateOrProvinceName_default = Berkshire
> ---
> > stateOrProvinceName_default = My State
> 136c136
> < localityName_default = Newbury
> ---
> > localityName_default = My Locality
> 139c139
> < 0.organizationName_default = My Company Ltd
> ---
> > 0.organizationName_default = My Organisation
>
> 3. Create directory infrastructure for openssl to manage the certificates:
>
> mkdir -p mycompany-ca/newcerts
> echo 01 > mycompany-ca/serial
> touch mycompany-ca/index.txt
>
> 4. Create the CA certificate and key:
>
> (
> echo ""
> echo ""
> echo ""
> echo ""
> echo "CA"
> echo "My Name"
> echo "myemail at example.com"
> ) | openssl req -config mycompany.cnf -new -x509 \
> -passout pass:topsecretpassword \
> -text \
> -keyout mycompany-ca.key \
> -out mycompany-ca.crt \
> -days 3650
> chmod 600 mycompany-ca.key
>
> 5. Make a hash link for your CA if necessary:
>
> ln -s mycompany-ca.crt $(openssl x509 -noout -hash < mycompany-ca.crt).0
>
> 6. You can then make individual keys and certificates for each of your
> applications, all signed using your new CA. For instance, for a web server:
>
> (
> echo ""
> echo ""
> echo ""
> echo ""
> echo "Web Server"
> echo "www.example.com"
> echo "webmaster at example.com"
> echo "topsecretpassword"
> echo "example.com"
> ) | openssl req -config mycompany.cnf -new -nodes \
> -text \
> -keyout mycompany-web.key \
> -out mycompany-web.key \
> -days 3650
> openssl ca -config mycompany.cnf -batch \
> -policy policy_anything \
> -passin pass:topsecretpassword \
> -keyfile mycompany-ca.key \
> -cert mycompany-ca.crt \
> -out mycompany-web.crt \
> -infiles mycompany-web.key
> chmod 600 mycompany-web.key
>
>
> Obviously in all of the above change "mycompany", "example.com",
> "topsecretpassword", "My Name" etc. to values appropriate to you.
>
> If you want to see what each of the response fields (the echo commands
> in parentheses in the commands above) are for, just run the openssl
> command directly without piping input into it and enter your responses
> to the prompts at the keyboard.
>
> Paul.
>
Thanks, Paul! That is exactly what I was hoping for!
TC
More information about the fedora-list
mailing list