QMail-Toaster	Main Page | About | Help | FAQ | Special pages | Log in
	Printable version | Disclaimers | Privacy policy

Certificate

From QMail-Toaster

Security Certificate

To configure a SSL certificate for TLS and/or SSL over SMTP (using registerfly.com):

1) Create a private key using the triple des encryption standard (recommended):

# openssl genrsa -des3 -out servercert.key.enc 1024

2) Remove the pass phrase from the private key:

# openssl rsa -in servercert.key.enc -out servercert.key

3) Generate Certificate Request

# openssl req -new -key servercert.key -out servercert.csr

4) Go to RapidSSL and submit servercert.csr for a trusted certificate ($9.99). You will then receive a servercert.crt and servercert.ca-bundle. Now just do the following.

5) Create standard .pem in /var/qmail/control/servercert.pem

# cat servercert.key servercert.crt servercert.ca-bundle > /var/qmail/control/servercert.pem

---

• NOTE - if you are using another SSL provider and they only provide you with a CRT, simply do not cat the servercert.ca-bundle. The command would simply be:

# cat servercert.key servercert.crt > /var/qmail/control/servercert.pem

---

# chown root:vchkpw /var/qmail/control/servercert.pem
# chmod 640 /var/qmail/control/servercert.pem

Keep in mind that in order to avoid verification errors in the email client, you must enter in the same FQDN for both your pop/imap server and the smtp server that match your purchased certificate (IE in Outlook, Thunderbird, etc).

That's all there is to it. There is no need to restart qmail.

You can also use this signed certificate for apache by putting servercert.key in /etc/httpd/conf/ssl.key/server.key, servercert.crt in /etc/httpd/conf/ssl.crt/server.crt and servercert.ca-bundle in /etc/httpd/conf/ssl.crt/servercert.ca-bundle.

Because the RegisterFly cert is chained, you will have to put:

SSLCertificateChainFile /etc/httpd/conf/ssl.crt/servercert.ca-bundle

in your /etc/httpd/conf.d/ssl.conf configuration. Then you'll need to restart apache.

See Building a Secure Redhat Apache Server HOWTO for guidance with securing your Apache Server.

Self-signed ssl cert gleaned from the archives

Quick-n-dirty how-to for ssl certs

# cd /usr/share/ssl/certs

# make stunnel.pem

# mv stunnel.pem /var/qmail/control/servercert.pem

Then run these commands to finish:

# cd /var/qmail/control

# chown root:qmail /var/qmail/control/servercert.pem

# chmod 644 /var/qmail/control/servercert.pem

# ln -s /var/qmail/control/servercert.pem /var/qmail/control/clientcert.pem

And that should take care of it for you...good till next year.

Edit this page | Discuss this page | Page history | What links here | Related changes Main Page | About QMail-Toaster | Find: This page has been accessed 2,661 times. This page was last modified 17:51, 29 April 2008. Content is available under GNU Free Documentation License 1.2.