adke.org

Generate CA with openssl and sign a certificate for qmail

ronny -

source: http://www.flatmtn.com/article/setting-openssl-create-certificates

dir=/pathtosomedir
cd $dir 
mkdir sslcert 
chmod 0700 sslcert 
cd sslcert 
dir=/pathtosomedir/sslcert 
mkdir certs private 
echo '100001' >serial 
touch certindex.txt 
vi openssl.cnf 
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days (( 3 * 365 )) -config ./openssl.cnf 
cd /var/qmail/ssl 
openssl req -new -nodes -keyout key -out req -days 365 -config $dir/openssl.cnf 
openssl ca -out cert -config $dir/openssl.cnf -infiles req 
rm req 
cat /var/qmail/ssl/{key,cert} > /etc/qmail/servercert.pem 
ln -sf /var/qmail/ssl/cert /etc/ssl/certs/dovecot.pem 
ln -sf /var/qmail/ssl/key /etc/ssl/private/dovecot.pem 
qmailctl reload 
systemctl restart dovecot

cacert.pem is the Certificate of the CA to import into Clients.
Import in Archlinux:

scp server:$dir/cacert.pem /etc/ca-certificates/trust-source/anchors/ trust extract-compat

The file openssl.cnf looks like this:



 # # OpenSSL configuration file. 
# # Establish working directory. 
dir = $dir 
[ ca ] 
default_ca = CA_default 
[ CA_default ] 
serial = $dir/serial 
database = $dir/certindex.txt 
new_certs_dir = $dir/certs 
certificate = $dir/cacert.pem 
private_key = $dir/private/cakey.pem 
default_days = 365 
default_md = md5 
preserve = no 
email_in_dn = no 
nameopt = default_ca 
certopt = default_ca 
policy = policy_match 
[ policy_match ] 
countryName = match 
stateOrProvinceName = match 
organizationName = match 
organizationalUnitName = optional 
commonName = supplied 
emailAddress = optional 
[ req ] 
default_bits = 1024 
# Size of keys 
default_keyfile = key.pem 
# name of genera ted keys 
default_md = md5 
# messag e digest algorithm 
string_mask = nombstr 
# permitted char acters 
distinguished_name = req_distinguished_name 
req_extensions = v3_req 
[ req_distinguished_name ] 
# Variable name Prompt string 
#------------------------- ---------------------------------- 
organizationName = organizationName 
organizationalUnitName = Server Type 
emailAddress = postmaster@adke.org 
emailAddress_max = 40 
localityName = City 
stateOrProvinceName = State 
countryName = DE 
countryName_min = 2 
countryName_max = 2 
commonName = commonName 
commonName_max = 64 
# Default values for the above, for consistency and less typing. 
# Variable name Value 
#------------------------ ------------------------------ 
organizationName_default = adke.org 
localityName_default = Muc 
stateOrProvinceName_default = Bavaria 
countryName_default = DE 
emailAddress_default = postmaster@adke.org 
[ v3_ca ] 
basicConstraints = CA:TRUE 
subjectKeyIdentifier = hash 
authorityKeyIdentifier = keyid:always,issuer:always 
[ v3_req ] 
basicConstraints = CA:FALSE 
subjectKeyIdentifier = hash