straight dope on SSL certs?

brian fedora at logi.ca
Mon Oct 26 16:48:03 UTC 2009 

My self-signed SSL certificates (for Postfix & Cyrus-IMAP) have just 
expired and so I'm faced with once again trying to decipher (heh) the 
multitude of instructions for setting this up. I still have my notes 
from a year ago but, though everything's been working fine (AFAIK), I'm 
not convinced that what I'm doing is correct. I've read many tutorials 
online but each one seems to confuse the issue further.

For one thing, before I'd even started, I'd found some cert files 
already existed. I believe they were set up by the Apache rpm. In any 
case, I just ignored them, as I'm not currently using SSL through 
Apache. I probably will want to use it in the future, however I don't at 
all understand how/why these already exist, as they couldn't possibly 
contain the correct information (commonName, organizationName, etc).

So, anyway ... I'd like to create new certs and, at the same time, clear 
out some of the deadwood under the /etc/pki tree and attempt to get all 
of this into proper order.

This is my current setup:

/etc/postfix/main.cnf:
smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem
smtpd_tls_cert_file = /etc/pki/postfix/newcert.pem
smtpd_tls_key_file = /etc/pki/postfix/newkey.pem

/etc/imapd.conf:
tls_ca_file: /etc/pki/tls/certs/cacert.pem
tls_cert_file: /etc/pki/cyrus-imapd/newcert.pem
tls_key_file: /etc/pki/cyrus-imapd/newkey.pem

I have no idea what I was thinking when putting these in separate 
directories. I assume that's a redundancy I can do without.

/etc/httpd/conf.d/ssl.conf:
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

Here, localhost.crt and localhost.key were created by something other 
than myself. I have no idea what they're good for, if not self-signed. 
However, I'm guessing that I could probably create a cert/key.pem pair 
and use them for Postfix, Cyrus, and Apache. Note, though, that the 
httpd versions are not PEMs, so that's another source of confusion.

This is from my notes for Postfix/Cyrus:

-- snip --
# cd /etc/pki/tls/misc
./CA_noDES -newca
[creates key file in /etc/pki/CA/private/cakey.pem]

./CA_noDES -newreq
[creates newkey.pem & newreq.pem]

./CA_noDES -sign
[creates /etc/pki/CA/cacert.pem]

ADD THE PRIVATE KEY
# cat /etc/pki/CA/private/cakey.pem

copy this into:
# vi /etc/pki/CA/cacert.pem

# cp /etc/pki/CA/cacert.pem /etc/pki/tls/certs/
-- snip --


Could/should I simply use the above instructions to create:

/etc/pki/tls/certs/localhost.crt.pem
/etc/pki/tls/private/localhost.key.pem

... and use these for all 3 apps?

Also, I'm not really clear (surprise, surprise) on the purpose of the 
last line. Why should I copy cacert.pem from one directory to another? I 
understand that the CA dir is readbale only by root. However, by copying 
the file elsewhere, that security seems superfluous.

More information about the fedora-list mailing list