• We need a certificate authority to sign our certificate. This step is usually provided by a vendor like Thawte, Verisign, etc., however we can also create our own.

• Create a certificate signing request. This request is like an unsigned certificate (the

public part) and already contains all necessary information. The certificate request is

normally sent to the authority vendor for signing. This step also creates the private key

on the local machine.

• Sign the certificate with the certificate authority.

• If necessary join the certificate and the key in a single file to be used by the application

(web server, mail server etc.).

We use /usr/local/certs as directory for this example check or edit /etc/ssl/openssl.cnf

accordingly to your settings so you know where the files will be created. Here are the relevant part of openssl.cnf:

[ CA_default ]

dir = /usr/local/certs/CA # Where everything is kept

certs = $dir/certs # Where the issued certs are kept

crl_dir = $dir/crl # Where the issued crl are kept

database = $dir/index.txt # database index file.

Make sure the directories exist or create them

# mkdir -p /usr/local/certs/CA

# cd /usr/local/certs/CA

# mkdir certs crl newcerts private

# echo "01" > serial # Only if serial does not exist

# touch index.txt

If you do not have a certificate authority from a vendor, you'll have to create your own. This

step is not necessary if one intend to use a vendor to sign the request. To make a certificate

authority (CA):

# openssl req -new -x509 -days 730 -config /etc/ssl/openssl.cnf \

-keyout CA/private/cakey.pem -out CA/cacert.pem

To make a new certificate (for mail server or web server for example), first create a request certificate with its private key. If your application do not support encrypted private key (for example UW-IMAP does not), then disable encryption with -nodes.

# openssl req -new -keyout newkey.pem -out newreq.pem \

-config /etc/ssl/openssl.cnf

# openssl req -nodes -new -keyout newkey.pem -out newreq.pem \

-config /etc/ssl/openssl.cnf # No encryption for the key

— SSL Certificates —

30

The certificate request has to be signed by the CA to be valid, this step is usually done by the vendor. Note: replace "servername" with the name of your server in the next commands.

# cat newreq.pem newkey.pem > new.pem

# openssl ca -policy policy_anything -out servernamecert.pem \

-config /etc/ssl/openssl.cnf -infiles new.pem

# mv newkey.pem servernamekey.pem

Now servernamekey.pem is the private key and servernamecert.pem is the server certificate.

The IMAP server wants to have both private key and server certificate in the same file. And in general, this is also easier to handle, but the file has to be kept securely!. Apache also can deal with it well. Create a file servername.pem containing both the certificate and key.

• Open the private key (servernamekey.pem) with a text editor and copy the private key

into the "servername.pem" file.

• Do the same with the server certificate (servernamecert.pem).

The final servername.pem file should look like this:

-----BEGIN RSA PRIVATE KEY-----

MIICXQIBAAKBgQDutWy+o/XZ/[...]qK5LqQgT3c9dU6fcR+WuSs6aejdEDDqBRQ

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

MIIERzCCA7CgAwIBAgIBBDANB[...]iG9w0BAQQFADCBxTELMAkGA1UEBhMCREUx

-----END CERTIFICATE-----

What we have now in the directory /usr/local/certs/:

CA/private/cakey.pem (CA server private key)

CA/cacert.pem (CA server public key)

certs/servernamekey.pem (server private key)

certs/servernamecert.pem (server signed certificate)

certs/servername.pem (server certificate with private key)

Keep the private key secure!

To view the certificate information simply do:

# openssl x509 -text -in servernamecert.pem # View the certificate info

# openssl req -noout -text -in server.csr # View the request info