Self-signed Certificates Nano-HOWTO
If you want to use secure connections in the servers you run (and you WANT it), you need a certificate and a key. This document tells briefly how you can create a self-signed certificate to use TLS in your smtp, imap and https connections.
Take note that the 'authentication' part of the certificate serves no purpose in a self-signed certificate, because it's signed by you and not by a recognized certification authority; some programs (specially Firefox) will complain when connecting to your services because they cannot be sure that you really are who you are claiming to be. If that is a problem to you, then this is not the document you are looking for.
Creating the certificate and the key
To create it you need:
- The two letter name of your country (C).
- The name of your state (ST).
- The name of your city (L).
- The name of the host computer (CN).
The important part of it is the CN (the host name). You MUST create a certificate with exactly the same host name people will use when connecting to your service. If you use different host names for your services (smtp.example.com, imap.example.com, etc) you need to create different certificate/key pairs for them.
The magical one-liner:
openssl req -x509 -nodes -days 3650 \ -subj '/C=ES/ST=Madrid/L=Madrid/CN=example.com' \ -newkey rsa:1024 -keyout key.pem -out cert.pem
Both parameters to
-out can be the same file; many programs accept the key and the certificate in the same file.
Store your certificates and keys in
/etc/CA and set the permissions to the minimum possible (probably just 600 and owned by root).
Add the following two lines to
ssl_cert_file = /etc/CA/cert.pem ssl_key_file = /etc/CA/key.pem
Add the following in any of your Apache configuration files:
SSLEngine on SSLCertificateFile /etc/CA/cert.pem SSLCertificateKeyFile /etc/CA/key.pem
Of course, you need mod-ssl. If you use virtual hosts, only the first one will work with SSL (this is because the SSL decryption is done before any HTTP header starting with
Host: can be parsed).
Add the following to
Courier wants both the certificate and the key in the same file. You can happily concatenate both files into one.
Exim4 needs the certificate and the key in separate files. Add the following to
MAIN_TLS_ENABLE = true MAIN_TLS_CERTIFICATE = /etc/CA/cert.pem MAIN_TLS_PRIVATEKEY = /etc/CA/key.pem