Certificate

From QmailToaster
Revision as of 11:10, 20 March 2024 by Ebroch (talk | contribs)
Jump to navigation Jump to search

Security Certificate

To configure a SSL certificate for TLS and/or SSL over SMTP:

  1. Abstract: Create Certificate
    Generate key
    Generate signing request
    Sign the key
    Create server certificate
    Set permission
    Set owner
    Copy into place
    Restart services
    1. Self-Signed Certificate
      openssl genrsa -out x.key 2048
      openssl req -new -key x.key -out x.csr
      openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
      cat x.crt x.key > servercert.pem
      chmod 644 servercert.pem
      chown root:qmail servercert.pem
      cp -p servercert.pem /var/qmail/control
    2. Let's Encrypt CentOS 7/8 (Automatic, assumes working web server)
      yum install python-certbot-apache
      certbot -apache -d mydomain.com -d mail.mydomain.com
      Add to Apache Virtual
      SSLCertificateFile /etc/letsencrypt/live/mydomain.com/cert.pem
      SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.com/privkey.pem
      SSLCertificateChainFile /etc/letsencrypt/live/mydomain.com/fullchain.pem
      Add to Dovecot CentOS 6 & 7/8
      ssl_cert = </etc/letsencrypt/live/mydomain.com/fullchain.pem
      ssl_key = </etc/letsencrypt/live/mydomain.com/privkey.pem
      Add to Qmail CentOS 6 & 7/8
      cp -p /var/qmail/control/servercert.pem /var/qmail/control/servercert.pem.bak
      cat /etc/letsencrypt/live/mydomain.com/privkey.pem /etc/letsencrypt/live/mydomain.com/fullchain.pem > /var/qmail/control/servercert.pem
      Springdale, Rocky, Alma Linux 9 may need the private key last
      cat /etc/letsencrypt/live/mydomain.com/fullchain.pem /etc/letsencrypt/live/mydomain.com/privkey.pem > /var/qmail/control/servercert.pem
Retrieved from "http://wiki.qmailtoaster.org:80/index.php?title=Certificate&oldid=253"