Re: Generating SSL Certificates for Email Clients to get rid of the Self Sign Error on FC3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Paul Howarth wrote:
Thomas Cameron wrote:
Paul Howarth wrote:
The approach I use to to create my own CA certificate and key and then use that to sign the SSL certificates for all of my servers (e.g. SMTP, IMAP, Web). At the client side, it's only necessary then to import the CA certificate and everything just works.

Paul.

Paul -

How did you do that? I mean make the CA cert? The Dovecot and Sendmail (in my case) certs are well documented, but I would love to know how you generated your own CA certificate under FC.

The gist of it is:

1. Go to directory /etc/pki/tls/certs
2. Copy ../openssl.cnf to (say) mycompany.cnf and edit it to suit your needs, for instance:

$ diff ../openssl.cnf mycompany.cnf
37c37
< dir           = ../../CA              # Where everything is kept
---
 > dir           = mycompany-ca          # Where everything is kept
68c68
< default_days  = 365                   # how long to certify for
---
 > default_days  = 3650                  # how long to certify for
133c133
< stateOrProvinceName_default   = Berkshire
---
 > stateOrProvinceName_default   = My State
136c136
< localityName_default          = Newbury
---
 > localityName_default          = My Locality
139c139
< 0.organizationName_default    = My Company Ltd
---
 > 0.organizationName_default    = My Organisation

3. Create directory infrastructure for openssl to manage the certificates:

mkdir -p mycompany-ca/newcerts
echo 01 > mycompany-ca/serial
touch mycompany-ca/index.txt

4. Create the CA certificate and key:

(
        echo ""
        echo ""
        echo ""
        echo ""
        echo "CA"
        echo "My Name"
        echo "myemail@xxxxxxxxxxx"
) | openssl req -config mycompany.cnf -new -x509 \
        -passout pass:topsecretpassword \
        -text \
        -keyout mycompany-ca.key \
        -out mycompany-ca.crt \
        -days 3650
chmod 600 mycompany-ca.key

5. Make a hash link for your CA if necessary:

ln -s mycompany-ca.crt $(openssl x509 -noout -hash < mycompany-ca.crt).0

6. You can then make individual keys and certificates for each of your applications, all signed using your new CA. For instance, for a web server:

(
        echo ""
        echo ""
        echo ""
        echo ""
        echo "Web Server"
        echo "www.example.com"
        echo "webmaster@xxxxxxxxxxx"
        echo "topsecretpassword"
        echo "example.com"
) | openssl req -config mycompany.cnf -new -nodes \
        -text \
        -keyout mycompany-web.key \
        -out mycompany-web.key \
        -days 3650
openssl ca -config mycompany.cnf -batch \
        -policy policy_anything \
        -passin pass:topsecretpassword \
        -keyfile mycompany-ca.key \
        -cert mycompany-ca.crt \
        -out mycompany-web.crt \
        -infiles mycompany-web.key
chmod 600 mycompany-web.key


Obviously in all of the above change "mycompany", "example.com", "topsecretpassword", "My Name" etc. to values appropriate to you.

If you want to see what each of the response fields (the echo commands in parentheses in the commands above) are for, just run the openssl command directly without piping input into it and enter your responses to the prompts at the keyboard.

Paul.


Thanks, Paul!  That is exactly what I was hoping for!

TC

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux