Openssl: Difference between revisions
| Line 5: | Line 5: | ||
==Documentation and HOWTOs== | ==Documentation and HOWTOs== | ||
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup] | *[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup] | ||
*[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL] | |||
*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work] | *[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work] | ||
*http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html | *http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html | ||
Revision as of 13:55, 26 May 2014
Links
Documentation and HOWTOs
- OpenSSL Certificate Authority Setup
- Validating a Certificate Path with OpenSSL
- How SSL and TLS work
- http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html
- ssl cert HOWTO
- OpenSSL Command-Line HOWTO
- 1. Way: SubjectAltName Only
- OpenSSL Command-Line HOWTO
- How to Create a .PEM file for SSL Certificate Installation
- http://www.tc.umn.edu/~brams006/selfsign.html
Dovecot en ssl
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)
cat NetworkSolutions_CA.crt UTNAddTrustServer_CA.crt AddTrustExternalCARoot.crt > intermediate.pem
In dovecot.conf:
ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt ssl_key_file = /usr/local/etc/myserver.key #optional, only if you want to require client to provide cert #ssl_ca_file = /usr/local/etc/intermediate.pem
Courier-imap and ssl
- http://linsec.ca/Using_Courier-IMAP_and_SSL
- http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/
Networksolutions certs:
After creating myserver.key and myserver.csr and obtaining certs:
(don't forget to insert newlines between the blocks!)
cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem cat myserver.key >> IMAP.EXAMPLE.COM.crt
In imapd-ssl:
TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem
Network Solutions certificates
See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/
First in chain is the root certificate AddTrustExternalCARoot.crt. (optional)
The next ones are the intermediates: NetworkSolutions_CA.crt and UTNAddTrustServer_CA.crt.
Generate a signing request
openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
Tips&Tricks
Examining certificates
openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text
openssl rsa -noout -text -in server.key openssl req -noout -text -in server.csr openssl rsa -noout -text -in ca.key openssl x509 -noout -text -in ca.crt
Checking a service
- Note -CApath should point to your local collection of public CA certs
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3 openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.tomaatnet.nl -prexit
Check your site
https://www.ssllabs.com/ssltest
Creating your own CA and signing with it
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)
cd /etc/ssl mkdir newcerts (perform secret rituals)
