On Fri, 15 Jun 2007, Marco Fioretti wrote:
Hello,
I am going to build an email server on Centos for a small, private
group of users and I just want to encrypt all communications between
that server and the (remote) email clients of those users (or they
browsers, when they use webmail). Client certificates are not
necessary, at least now.
I understand that to do that I need to create my own SSL CA, create
with it a self signed certificate and key pair and make sure that
the private key is not encrypted, so the server restarts unattended
in case of a reboot.
You don't need a CA to create a single self-signed certificate.
Is this sequence of actions and commands correct and complete
for my case, or not:
1) cd /usr/share/ssl
2) modify openssl.cnf to have your Common Name and other parameters
3) run:
./CA -newca
./CA -newreq-nodes
4) move the private key from the .pem file to a separate file
5) put the cert and key file in a location where Postfix,
6) Dovecot and Apache can all use them
7) configure each of those servers to use the certificate
What have I missed?
1) Run
openssl req \
-x509 -nodes -days 365 \
-subj '/C=US/ST=Oregon/L=Portland/CN=www.madboa.com' \
-newkey rsa:1024 -keyout mycert.pem -out mycert.pem
You'll for sure want to modify the -subj option in my example, and you
might consider lengthening the -days as well so you don't have to
rebuild the cert in one year.
Also, if you're doing this on a private server, you can keep the cert
and the key in the same file. I'd just give it 0600 perms no matter
where you put it.
Then confinue with your step #5.
--
Paul Heinlein <> heinlein@xxxxxxxxxx <> www.madboa.com
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
