Certificate: Difference between revisions

From QmailToaster
Jump to navigation Jump to search
No edit summary
No edit summary
(11 intermediate revisions by the same user not shown)
Line 13: Line 13:
#; Restart services
#; Restart services
## Self-Signed Certificate
## Self-Signed Certificate
##; openssl genrsa -out x.key 2048
##: <nowiki>#</nowiki> openssl genrsa -out x.key 2048
##; openssl req -new -key x.key -out x.csr
##: <nowiki>#</nowiki> openssl req -new -key x.key -out x.csr
##; openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
##: <nowiki>#</nowiki> openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
##; cat x.crt x.key > servercert.pem
##: <nowiki>#</nowiki> cat x.crt x.key > servercert.pem
##; chmod 644 servercert.pem
##: <nowiki>#</nowiki> chmod 644 servercert.pem
##; chown root<nowiki>:</nowiki>qmail servercert.pem
##: <nowiki>#</nowiki> chown root<nowiki>:</nowiki>qmail servercert.pem
##; cp -p servercert.pem /var/qmail/control
##: <nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control
## Let's Encrypt CentOS 7/8 (Automatic, assumes working web server)
## Let's Encrypt CentOS 7/8 (Automatic, assumes working web server)
##; yum install python-certbot-apache
##: <nowiki>#</nowiki> yum install python-certbot-apache
##; certbot -apache -d mydomain.com -d mail.mydomain.com
##: <nowiki>#</nowiki> certbot -apache -d mydomain.com -d mail.mydomain.com
##: Add to Apache Virtual
##; Add to Apache Virtual
##: SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
##: SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
##: SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
##: SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
##: SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
##: SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
##: Add to Dovecot CentOS 6 & 7/8
##; Add to Dovecot
##; ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
##: ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
##; ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
##: ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
##: Add to Qmail CentOS 6 & 7/8
##; Add to Qmail
##; cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
##: <nowiki>#</nowiki> cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
##; cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
##: <nowiki>#</nowiki> cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
##; Springdale, Rocky, Alma Linux 9 may need the private key last
##; Springdale, Rocky, Alma Linux 9 may need the private key last
##: cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
##: <nowiki>#</nowiki> cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
##; Let's Encrypt auto renewal
##; Add to cron nightly renew of certs (These certificates expire every 3 months)
##: 0 0 * * * /opt/certbot/certbot renew
## Application: Godaddy Signed Certificate
##:<nowiki>#</nowiki> openssl genrsa -out x.key 2048
##:<nowiki>#</nowiki> openssl req -new -key x.key -out x.csr
##; Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
##:<nowiki>#</nowiki> cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
##:<nowiki>#</nowiki> chmod 644 servercert.pem
##:<nowiki>#</nowiki> chown root<nowiki>:</nowiki>qmail servercert.pem
##:<nowiki>#</nowiki> cp -p servercert.pem /var/qmail/control

Revision as of 11:32, 20 March 2024

Security Certificate

To configure a SSL certificate for TLS and/or SSL over SMTP:

  1. Abstract: Create Certificate
    Generate key
    Generate signing request
    Sign the key
    Create server certificate
    Set permission
    Set owner
    Copy into place
    Restart services
    1. Self-Signed Certificate
      # openssl genrsa -out x.key 2048
      # openssl req -new -key x.key -out x.csr
      # openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
      # cat x.crt x.key > servercert.pem
      # chmod 644 servercert.pem
      # chown root:qmail servercert.pem
      # cp -p servercert.pem /var/qmail/control
    2. Let's Encrypt CentOS 7/8 (Automatic, assumes working web server)
      # yum install python-certbot-apache
      # certbot -apache -d mydomain.com -d mail.mydomain.com
      Add to Apache Virtual
      SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
      SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
      Add to Dovecot
      ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
      ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
      Add to Qmail
      # cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
      # cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
      Springdale, Rocky, Alma Linux 9 may need the private key last
      # cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
      Let's Encrypt auto renewal
      Add to cron nightly renew of certs (These certificates expire every 3 months)
      0 0 * * * /opt/certbot/certbot renew
    3. Application: Godaddy Signed Certificate
      # openssl genrsa -out x.key 2048
      # openssl req -new -key x.key -out x.csr
      Submit signing request (x.csr) to Godaddy; Later download signed key (crt and crt bundle)
      # cat x.key 7531fdb8504afe19.crt gd_bundle-g2-g1.crt > servercert.pem
      # chmod 644 servercert.pem
      # chown root:qmail servercert.pem
      # cp -p servercert.pem /var/qmail/control