Links

• openssl homepage
• http://gagravarr.org/writing/openssl-certs/index.shtml

Documentation and HOWTOs

• OpenSSL Certificate Authority Setup
• ssl cert HOWTO
• OpenSSL Command-Line HOWTO
• 1. Way: SubjectAltName Only

Courier-imap and ssl

• http://linsec.ca/Using_Courier-IMAP_and_SSL
• http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:

TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem

Network Solutions certificates

See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/

First in chain is the root certificate AddTrustExternalCARoot.crt. (optional)

The next ones are the intermediates: NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt.

Generate a signing request

openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!

Tips&Tricks

Examining certificates

• http://www.madboa.com/geek/openssl/#verify-standard

openssl verify cert.pem

openssl x509 -in cacert.pem -noout -text

Creating your own CA and signing with it

(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)

cd /etc/ssl
mkdir newcerts
(perform secret rituals)