Openssl: Difference between revisions

From DWIKI
Line 5: Line 5:
==Documentation and HOWTOs==
==Documentation and HOWTOs==
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work]
*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO]
*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO]
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]

Revision as of 13:29, 4 March 2013

Links

Documentation and HOWTOs

Dovecot en ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt > intermediate.pem

In dovecot.conf:

ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
ssl_key_file = /usr/local/etc/myserver.key
#optional, only if you want to require client to provide cert
#ssl_ca_file = /usr/local/etc/intermediate.pem

Courier-imap and ssl


Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:

TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem

Network Solutions certificates

See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/

First in chain is the root certificate AddTrustExternalCARoot.crt. (optional)

The next ones are the intermediates: NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt.

Generate a signing request

openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!

Tips&Tricks

Examining certificates

openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

Checking a service

openssl s_client -connect -CApath=/etc/ssl/certs host:pop3 -starttls pop3
openssl s_client -port 443  -host webmail.tomaatnet.nl -prexit

Check your site

https://www.ssllabs.com/ssltest

Creating your own CA and signing with it

(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)

cd /etc/ssl
mkdir newcerts
(perform secret rituals)