QMail-Toaster	Main Page | About | Help | FAQ | Special pages | Log in
	Printable version | Disclaimers | Privacy policy

Certificate

From QMail-Toaster

Security Certificate

To configure a SSL certificate for TLS and/or SSL over SMTP (using registerfly.com):

1) Create a private key using the triple des encryption standard (recommended):

# openssl genrsa -des3 -out servercert.key.enc 1024

2) Remove the pass phrase from the private key:

# openssl rsa -in servercert.key.enc -out servercert.key

3) Generate Certificate Request

# openssl req -new -key servercert.key -out servercert.csr

4) Go to RapidSSL and submit servercert.csr for a trusted certificate ($9.99). You will then receive a servercert.crt and servercert.ca-bundle. Now just do the following.

5) Create standard .pem in /var/qmail/control/servercert.pem

# cat servercert.key servercert.crt servercert.ca-bundle > /var/qmail/control/servercert.pem

---

• NOTE - if you are using another SSL provider and they only provide you with a CRT, simply do not cat the servercert.ca-bundle. The command would simply be:

# cat servercert.key servercert.crt > /var/qmail/control/servercert.pem

---

# chown root:vchkpw /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Keep in mind that in order to avoid verification errors in the email client, you must enter in the same FQDN for both your pop/imap server and the smtp server that match your purchased certificate (IE in Outlook, Thunderbird, etc).

That's all there is to it. There is no need to restart qmail.

You can also use this signed certificate for apache by putting servercert.key in /etc/httpd/conf/ssl.key/server.key, servercert.crt in /etc/httpd/conf/ssl.crt/server.crt and servercert.ca-bundle in /etc/httpd/conf/ssl.crt/servercert.ca-bundle.

Because the RegisterFly cert is chained, you will have to put:

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/servercert.ca-bundle

in your /etc/httpd/conf.d/ssl.conf configuration. Then you'll need to restart apache.

See Building a Secure Redhat Apache Server HOWTO for guidance with securing your Apache Server.

Self-signed ssl cert gleaned from the archives

Quick-n-dirty how-to for ssl certs

# cd /usr/share/ssl/certs

# make stunnel.pem

# mv stunnel.pem /var/qmail/control/servercert.pem

Then run these commands to finish:

# cd /var/qmail/control

# chown root:qmail /var/qmail/control/servercert.pem

# chmod 644 /var/qmail/control/servercert.pem

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

And that should take care of it for you...good till next year.

• Jake - As a side note, I've used RegFly (RapidSSL) a couple times for SSL certs, and there is always an issue that requires helpdesk intervention (~24 hours). I have never had one work in the 5 minutes they advertise. Just be aware. I have been using FreeSSL during the wait periods. They offer a free 30-day certificate signed by a major CA that can be used until you get the other certificate straightened out, and they really do give you a cert in 5 minutes after the phone call verification.

Edit this page | Discuss this page | Page history | What links here | Related changes Main Page | About QMail-Toaster | Find: This page has been accessed 2,949 times. This page was last modified 14:00, 20 August 2008. Content is available under GNU Free Documentation License 1.2.