Courier SSL certificaten
You'll need the following packages installed to do this:
* openssl * mod_ssl
Eventueel aanmaken ROOT Cert
Eerst maken we een RSA private key
openssl genrsa -des3 -out ca.key 2048
De output van het commando is ongeveer als volgt:
Generating RSA private key, 2048 bit long modulus .....+++ .........................+++ e is 65537 (0x10001) Enter PEM pass phrase: enter a password here Verifying password - Enter PEM pass phrase: re-enter your password here
Nu maken we een self-signed CA certificaat
openssl req -new -x509 -days 3652 -key ca.key -out ca.crt
Output:
Using configuration from /usr/lib/ssl/openssl.cnf Enter PEM pass phrase: enter your password for the key here You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Pennsylvania Locality Name (eg, city) []:Horsham Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebMasters, Inc. Organizational Unit Name (eg, section) []: Common Name (eg, YOUR name) []:WebMasters, Inc. Email Address []:certs@webmast.com
Dit certificaat is 10 jaar geldig.
This will create a self-signed certificate called ca.crt valid for 10 years. The file names (ca.key and ca.crt) are important, as the sign.sh shell script that comes with mod_ssl looks for these specific file names. That's it, you're now have a root certificate ready to be used to sign other certificates or to be installed in a browser!
Maak een certificaat request voor POP3/IMAP
Ok, now that you've created a self-signed CA certificate, it's time to generate the certificate(s) for your pop and imap servers. The number of certificates you need depends on how many host names you are using. If you use the same host name (i.e., mail.example.com) then you only need a single certificate. Basicly, you need a certificate for each unique host name. The instructions are the same for each. The only difference is the Common Name, and possibly Organizational Unit Name. Let's get started!
openssl genrsa -out pop3d.key 2048
This will create a 2048-bit RSA key that doesn't require you to enter the password when the pop3d-ssl or imapd-sll server starts. The output from this command is very similar to when you created the key for the CA, except you won't be prompted for a password.
Now that you have a key, let's generate a Certificate Signing Request (CSR)
openssl req -new -key pop3d.key -out pop3d.csr
Using configuration from /usr/lib/ssl/openssl.cnf You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Pennsylvania Locality Name (eg, city) []:Horsham Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebMasters, Inc. Organizational Unit Name (eg, section) []:WMI pop-3 mail server Common Name (eg, YOUR name) []:pop3.webmast.com Email Address []:postmaster@webmast.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Onderteken de requests met het root certificaat
CA.pl verwacht newreq.pem als requestnaam, ff het straks gemaakte request hernoemen:
cp pop3d.csr newreq.pem
sign je request:
/etc/ssl/misc/CA.pl -signCA mv newcert.pem pop3d.crt
Voltooi het certificaat
Om courier gebruik te laten maken van het certificaat moeten we een pem file genereren. De pop3d.crt bevat nog wat overbodige regels (de 'human readable' regels) en deze moeten worden verwijderd. Zorg ervoor dat je uiteindelijk alleen dit overhoud:
-----BEGIN CERTIFICATE----- MIIDtzCCAp8CAQEwDQYJKoZIhvcNAQEEBQAwgY4xCzAJBgNVBAYTAlVTMRUwEwYD VQQIEwxQZW5uc3lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xGTAXBgNVBAoTEFdl . . . BBL3CLqzb6ZMHSm+6eVr2RrsaePChPhb+/1PCgvJESqVEoR4RO5RHywiyg== -----END CERTIFICATE-----
Ok nu plakken we de key + het certificaat aan elkaar om de goede pop3d.pem te genereren
cat pop3d.key pop3d.crt > pop3d.pem
Kopieer de file naar de goede lokatie en zorg ervoor dat niet iedereen deze kan lezen:
cp pop3d.pem /usr/lib/courier-imap/share/ chmod 0600 /usr/lib/courier-imap/share/pop3d.pem cp /usr/lib/courier-imap/share/pop3d.pem /usr/lib/courier-imap/share/imapd.pem