Certificate: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 13: | Line 13: | ||
#; Restart services | #; Restart services | ||
## Self-Signed Certificate | ## Self-Signed Certificate | ||
##; <nowiki>#</nowiki>openssl genrsa -out x.key 2048 | ##; <nowiki>#</nowiki> openssl genrsa -out x.key 2048 | ||
##; <nowiki>#</nowiki>openssl req -new -key x.key -out x.csr | ##; <nowiki>#</nowiki> openssl req -new -key x.key -out x.csr | ||
##; <nowiki>#</nowiki>openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt | ##; <nowiki>#</nowiki> openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt | ||
##; <nowiki>#</nowiki>cat x.crt x.key > servercert.pem | ##; <nowiki>#</nowiki> cat x.crt x.key > servercert.pem | ||
##; <nowiki>#</nowiki>chmod 644 servercert.pem | ##; <nowiki>#</nowiki> chmod 644 servercert.pem | ||
##; <nowiki>#</nowiki>chown root<nowiki>:</nowiki>qmail servercert.pem | ##; <nowiki>#</nowiki> chown root<nowiki>:</nowiki>qmail servercert.pem | ||
##; <nowiki>#</nowiki>cp -p servercert.pem /var/qmail/control | ##; <nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control | ||
## Let's Encrypt CentOS 7/8 (Automatic, assumes working web server) | ## Let's Encrypt CentOS 7/8 (Automatic, assumes working web server) | ||
##; <nowiki>#</nowiki>yum install python-certbot-apache | ##; <nowiki>#</nowiki> yum install python-certbot-apache | ||
##; <nowiki>#</nowiki>certbot -apache -d mydomain.com -d mail.mydomain.com | ##; <nowiki>#</nowiki> certbot -apache -d mydomain.com -d mail.mydomain.com | ||
##: Add to Apache Virtual | ##: Add to Apache Virtual | ||
### SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem | ### SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem | ||
| Line 31: | Line 31: | ||
### ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem | ### ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem | ||
##: Add to Qmail | ##: Add to Qmail | ||
### <nowiki>#</nowiki>cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | ### <nowiki>#</nowiki> cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak | ||
### <nowiki>#</nowiki>cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem | ### <nowiki>#</nowiki> cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem | ||
##: Springdale, Rocky, Alma Linux 9 may need the private key last | ##: Springdale, Rocky, Alma Linux 9 may need the private key last | ||
### cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem | ### <nowiki>#</nowiki> cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem | ||
##: Let's Encrypt auto renewal | ##: Let's Encrypt auto renewal | ||
##: Add to cron nightly renew of certs (These certificates expire every 3 months) | ##: Add to cron nightly renew of certs (These certificates expire every 3 months) | ||
### 0 0 * * * /opt/certbot/certbot-auto renew #CentOS 6 | ### 0 0 * * * /opt/certbot/certbot-auto renew #CentOS 6 | ||
### 0 0 * * * /opt/certbot/certbot renew #CentOS 7 | ### 0 0 * * * /opt/certbot/certbot renew #CentOS 7 | ||
Revision as of 11:21, 20 March 2024
Security Certificate
To configure a SSL certificate for TLS and/or SSL over SMTP:
- Abstract: Create Certificate
- Generate key
- Generate signing request
- Sign the key
- Create server certificate
- Set permission
- Set owner
- Copy into place
- Restart services
- Self-Signed Certificate
- # openssl genrsa -out x.key 2048
- # openssl req -new -key x.key -out x.csr
- # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
- # cat x.crt x.key > servercert.pem
- # chmod 644 servercert.pem
- # chown root:qmail servercert.pem
- # cp -p servercert.pem /var/qmail/control
- Let's Encrypt CentOS 7/8 (Automatic, assumes working web server)
- # yum install python-certbot-apache
- # certbot -apache -d mydomain.com -d mail.mydomain.com
- Add to Apache Virtual
- SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
- SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
- SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
- Add to Dovecot
- ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
- ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
- Add to Qmail
- # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
- # cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
- Springdale, Rocky, Alma Linux 9 may need the private key last
- # cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
- Let's Encrypt auto renewal
- Add to cron nightly renew of certs (These certificates expire every 3 months)
- 0 0 * * * /opt/certbot/certbot-auto renew #CentOS 6
- 0 0 * * * /opt/certbot/certbot renew #CentOS 7