I think it is important to use SSL certificates to protect communications over the commodity Internet, but I don’t need to spend the money for an SSL certificate when it is strictly for my personal use. So, I use self-signed certificates for SMTP, IMAP, POP and Web sites that are just for me. It gives me an encrypted connection between my server and my laptop (especially handy when I am travelling). Here is how I do it.
There are basically two types of self-signed certificates: those that are signed by a local certificate authority and those that aren’t. To determine which is needed depends on the requirements of the specific application. In this blog, I will cover both types of certificates and list with which applications I use each type. By the way, if you need a reminder about the typography used in this post, look here.
Creating a Self-Signed Certificate with a Certificate Authority
Essentially, this requires creating two self-signed certificates: one for the Certificate Authority and one for the server certificate.
- Create a local certificate authority (CA) on the server. I typically do this in the /etc/mail. As the root user, type
cd /etc/mail; mkdir CA; cd CA, chmod 700 .to create the CA root directory and protect it. - Type
mkdir certs crl newcerts private; echo "01" > serial; touch index.txtto create the required directories and files for the local CA. - Finish up by typing
ln -s ../CA demoCAto insure the CA points to this working directory. - Now, it’s time to create the CA certificate and key. I set it to be valid for the next 3650 days instead of the default 365. Type
openssl req -nodes -new -days 3650 -x509 -keyout private/cakey.pem -out cacert.pemand here is a sample session that shows the dialogue produced by this command if run on a host called shemp.academ.com:Generating a 1024 bit RSA private key .........++++++ ...............................++++++ writing new private key to 'private/cakey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Houston Organization Name (eg, company) [Internet Widgits Pty Ltd]:Academ Organizational Unit Name (eg, section) []:SSL Certs Common Name (eg, YOUR name) []:shemp.academ.com Email Address []:postmaster@shemp.academ.com
- Type
openssl req -nodes -new -x509 -keyout server.key -out server.ucrtto produce the SSL certificate. Here is a sample session that shows the dialogue produced by this command if run on a host called shemp.academ.comGenerating a 1024 bit RSA private key ...++++++ ................++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Texas Locality Name (eg, city) []:Houston Organization Name (eg, company) [Internet Widgits Pty Ltd]:Academ Organizational Unit Name (eg, section) []:SSL Certs Common Name (eg, YOUR name) []:shemp.academ.com Email Address []:postmaster@shemp.academ.com
- A certificate request must now be created. Type
openssl x509 -x509toreq -in server.ucrt -signkey server.key -out server.csrto create the certificate request. Here is a sample session that shows the dialogue produced by this command if run on a host called shemp.academ.com:Getting request Private Key Generating certificate request
- Finally, sign this request with the CA certificate. Again, I set it to be valid for the next 3650 days instead of the default 365 days. Type
openssl ca -policy policy_anything -days 3650 -out server.crt -infiles server.csrto generate the final signed certificate. Once again, the sample session on shemp.academ.com:Using configuration from /etc/ssl/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Mar 6 22:46:03 2010 GMT Not After : Mar 3 22:46:03 2019 GMT Subject: countryName = US stateOrProvinceName = Texas localityName = Houston organizationName = Academ organizationalUnitName = SSL Certs commonName = shemp.academ.com emailAddress = postmaster@shemp.academ.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 3C:37:11:AE:1F:60:44:F7:4D:08:90:BC:32:20:56:22:41:4E:C1:AF X509v3 Authority Key Identifier: keyid:64:FD:A2:0D:2C:87:06:17:DA:2E:BB:07:CE:D0:85:D2:BB:31:FD:18 Certificate is to be certified until Mar 3 22:46:03 2019 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
For software (like sendmail) where this type of certificate is required, the CA certificate (cacert.pem), server certificate (server.crt), and server key (server.key) are required. As long as the hostname in these certificates matches what the software expects the hostname to be, these same certificates can be used with apache and cyrus-imapd.
Creating a Self-Signed Certificate without a Certificate Authority
- Make a fresh directory in your home directory to use as a work space for this work and
cdinto it. - Next, protect that directory from access by others by typing
chmod 700 .and only you (and root) will be able to get into the directory. - To generate the key, type
openssl genrsa -des3 -out server.key 1024. openssl prompts for a password. I use something easy to remember since I only need it for a short period of time. - The next step is to create the self-signed certificate. Type
openssl req -new -x509 -nodes -sha256 -days 3650 -key server.key -out server.crt. openssl prompts for several items of information. The County Name is the two letter
Here is an example of making a self-signed certificate for the server namedshemp.academ.com:Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:TX Locality Name (eg, city) []:Houston Organization Name (eg, company) [Internet Widgits Pty Ltd]:Academ Organizational Unit Name (eg, section) []:SSL Certificates Common Name (eg, YOUR name) []:shemp.academ.com Email Address []:postmaster@academ.com
- You probably don’t want to type the password for the key every time you start up the service using the SSL certificate, so remove the password from the key.
- First, make a copy of the key. Type
cp server.key server.key.orig. - Remove the password from the key. Type
openssl rsa -in server.key.orig -out server.key
- First, make a copy of the key. Type
Use this key (server.key) and certificate (server.crt) for apache and cyrus-imapd on those systems where a SSL/TLS-enabled sendmail is not running.
Learning More
There are a number of good resources to read about SSL. Check http://www.openssl.org for the current status of the openssl software. You can read more in the book Network Security with OpenSSL
