Courier SSL certificaten

From Frotmail Projects
Jump to navigation Jump to search


You'll need the following packages installed to do this:

   * openssl
   * mod_ssl

Eventueel aanmaken ROOT Cert

Eerst maken we een RSA private key

openssl genrsa -des3 -out ca.key 2048

De output van het commando is ongeveer als volgt:

Generating RSA private key, 2048 bit long modulus
.....+++
.........................+++
e is 65537 (0x10001)
Enter PEM pass phrase: enter a password here
Verifying password - Enter PEM pass phrase: re-enter your password here

Nu maken we een self-signed CA certificaat

openssl req -new -x509 -days 3652 -key ca.key -out ca.crt

Output:

Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase: enter your password for the key here
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Pennsylvania
Locality Name (eg, city) []:Horsham
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebMasters, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:WebMasters, Inc.
Email Address []:certs@webmast.com 

Dit certificaat is 10 jaar geldig.

This will create a self-signed certificate called ca.crt valid for 10 years. 
The file names (ca.key and ca.crt) are important, as  the sign.sh shell script that 
comes with mod_ssl looks for these specific file names. 
That's it, you're now have a root certificate ready to be used to sign other 
certificates or to be installed in a browser!

Maak een certificaat request voor POP3/IMAP

Ok, now that you've created a self-signed CA certificate, it's time to generate the certificate(s) for your pop and imap servers. The number of certificates you need depends on how many host names you are using. If you use the same host name (i.e., mail.example.com) then you only need a single certificate. Basicly, you need a certificate for each unique host name. The instructions are the same for each. The only difference is the Common Name, and possibly Organizational Unit Name. Let's get started!

openssl genrsa -out pop3d.key 2048

This will create a 2048-bit RSA key that doesn't require you to enter the password when the pop3d-ssl or imapd-sll server starts. The output from this command is very similar to when you created the key for the CA, except you won't be prompted for a password.

Now that you have a key, let's generate a Certificate Signing Request (CSR)

openssl req -new -key pop3d.key -out pop3d.csr
Using configuration from /usr/lib/ssl/openssl.cnf
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Pennsylvania
Locality Name (eg, city) []:Horsham
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WebMasters, Inc.
Organizational Unit Name (eg, section) []:WMI pop-3 mail server
Common Name (eg, YOUR name) []:pop3.webmast.com
Email Address []:postmaster@webmast.com 

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []: 

Onderteken de requests met het root certificaat

CA.pl verwacht newreq.pem als requestnaam, ff het straks gemaakte request hernoemen:

cp pop3d.csr newreq.pem

sign je request:

/etc/ssl/misc/CA.pl -signCA
mv newcert.pem pop3d.crt

Voltooi het certificaat

Om courier gebruik te laten maken van het certificaat moeten we een pem file genereren. De pop3d.crt bevat nog wat overbodige regels (de 'human readable' regels) en deze moeten worden verwijderd. Zorg ervoor dat je uiteindelijk alleen dit overhoud:

-----BEGIN CERTIFICATE-----
MIIDtzCCAp8CAQEwDQYJKoZIhvcNAQEEBQAwgY4xCzAJBgNVBAYTAlVTMRUwEwYD
VQQIEwxQZW5uc3lsdmFuaWExEDAOBgNVBAcTB0hvcnNoYW0xGTAXBgNVBAoTEFdl
.
.
.
BBL3CLqzb6ZMHSm+6eVr2RrsaePChPhb+/1PCgvJESqVEoR4RO5RHywiyg==
-----END CERTIFICATE-----

Ok nu plakken we de key + het certificaat aan elkaar om de goede pop3d.pem te genereren

cat pop3d.key pop3d.crt > pop3d.pem

Kopieer de file naar de goede lokatie en zorg ervoor dat niet iedereen deze kan lezen:

cp pop3d.pem /usr/lib/courier-imap/share/
chmod 0600 /usr/lib/courier-imap/share/pop3d.pem
cp /usr/lib/courier-imap/share/pop3d.pem /usr/lib/courier-imap/share/imapd.pem