# Ref: https://mcilis.medium.com/how-to-create-a-server-certificate-with-configuration-using-openssl-ea3d2c4506ac
# Ref: https://www.openssl.org/docs/manmaster/man5/x509v3_config.html
Generate the private key for the root cert.
muko@mybsd:~/work2 % openssl genrsa -out "root-ca.key" 4096
Create the certificate signing request.
muko@mybsd:~/work2 % openssl req -new -key "root-ca.key" -out "root-ca.csr" -sha256 -subj '/CN=MukoyamaOrg Root CA/C=US/ST=Hawaii/L=Honolulu/O=MukoyamaOrg'
Create a config file to be input when signing the root cert.
cat > root-ca.cnf << EOF
[root_ca]
basicConstraints = critical,CA:TRUE,pathlen:1
keyUsage = critical, nonRepudiation, cRLSign, keyCertSign, digitalSignature, keyAgreement
subjectKeyIdentifier=hash
EOF
Sign the root cert.
muko@mybsd:~/work2 % openssl x509 -req -days 1826 -in "root-ca.csr" -signkey "root-ca.key" -sha256 -out "root-ca.crt" -extfile "root-ca.cnf" -extensions root_ca
Here, the root certificate should be installed into "Trusted Root Authorities" if you use Windows.
Next, I create the server certificate.
First, generate the server key.
muko@mybsd:~/work2 % openssl genrsa -out "server.key" 4096
Create the certificate signing request for the server cert.
muko@mybsd:~/work2 % openssl req -new -key "server.key" -out "server.csr" -sha256 -subj '/CN=My VPN Server/C=US/ST=Hawaii/L=Honolulu/O=MukoyamaOrg'
Create a config file to be input when signing the server cert.
cat > server.cnf << EOF
[server]
authorityKeyIdentifier=keyid,issuer
basicConstraints = critical,CA:FALSE
extendedKeyUsage=serverAuth
keyUsage = critical, digitalSignature, keyEncipherment, keyAgreement, keyCertSign
# subjectAltName = DNS:myvpnserver.com, DNS:localhost, IP:127.0.0.1
subjectAltName = DNS:myvpnserver.com
subjectKeyIdentifier=hash
EOF
Sign the server cert.
muko@mybsd:~/work2 % openssl x509 -req -days 365 -in "server.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "server.crt" -extfile "server.cnf" -extensions server
Now, I have the server cert (and key), and can install it to the server.
Next, I create the client cert.
Generate the private key for the client cert.
muko@mybsd:~/work2 % openssl genrsa -out "client.key" 4096
Create the CSR file for client cert.
muko@mybsd:~/work2 % openssl req -new -key "client.key" -out "client.csr" -sha256 -subj '/CN=Test Client CA/C=US/ST=Hawaii/L=Honolulu/O=MukoyamaOrg'
Create a config file to be input when signing the client cert.
cat > client.cnf << EOF
[client]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "Local Test Client Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection
EOF
Sign the client cert.
muko@mybsd:~/work2 % openssl x509 -req -days 365 -in "client.csr" -sha256 -CA "root-ca.crt" -CAkey "root-ca.key" -CAcreateserial -out "client.crt" -extfile "client.cnf" -extensions client
Create the pem file.
muko@mybsd:~/work2 % cat client.key client.crt root-ca.crt > client.pem
Create the pkcs12 file.
muko@mybsd:~/work2 % openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile root-ca.crt
2023/07/09
Server and Client Certificates with Openssl
I need to create a pair of server and client certificates for Barracuda VPN once a year.
So, I practiced it with Openssl.
(Reference: https://mcilis.medium.com/how-to-create-a-self-signed-client-certificate-with-openssl-c4af9ac03e99)
Here are some notes.
Below, I create 1) a Root CA certificate, 2) a server certificate, and 3) a client certificate.
1) Start with creating root certificate.
First, create an encrypted RSA private key for the root certificate.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out ca.pass.key 4096
muko@mybsd:~/work1 % ls -l ca.pass.key
-rw------- 1 muko muko 3326 Jul 9 06:58 ca.pass.key
Next, extracts the RSA private key from the encrypted one above.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in ca.pass.key -out ca.key
muko@mybsd:~/work1 % ls -l ca.key
-rw------- 1 muko muko 3243 Jul 9 07:01 ca.key
Finally, creates the root certificate with the private key above.
muko@mybsd:~/work1 % openssl req -new -x509 -days 1095 -key ca.key -out ca.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:Root Authority at mukoyama.org
Common Name (e.g. server FQDN or YOUR name) []:MukoyamaOrgRoot
Email Address []:hiroshi@mukoyama.org
muko@mybsd:~/work1 % ls -l ca.crt
-rw-r--r-- 1 muko muko 2232 Jul 9 07:07 ca.crt
Check the root certificate above.
muko@mybsd:~/work1 % openssl x509 -in ca.crt -noout -subject -dates
2) Now, I create the server certificate.
First, create an encrypted RSA private key for the server.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out server.pass.key 4096
muko@mybsd:~/work1 % ls -l server.pass.key
-rw------- 1 muko muko 3326 Jul 9 07:17 server.pass.key
Next, extracts the RSA private key from the encrypted one above.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in server.pass.key -out server.key
writing RSA key
muko@mybsd:~/work1 % ls -l server.key
-rw------- 1 muko muko 3247 Jul 9 07:18 server.key
Then, creates a certificate signing request for the server.
muko@mybsd:~/work1 % openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:Test Section
Common Name (e.g. server FQDN or YOUR name) []:test.mukoyama.org (your server name)
Email Address []:hiroshi@mukoyama.org
A challenge password []: (Blank)
An optional company name []: (Blank)
muko@mybsd:~/work1 % ls -l server.csr
-rw-r--r-- 1 muko muko 1777 Jul 9 07:22 server.csr
By the way, this command, "% openssl req -new -key server.pass.key -out server.csr", also works.
Finally, self-sign the server certificate.
muko@mybsd:~/work1 % openssl x509 -CAcreateserial -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
muko@mybsd:~/work1 % ls -l server.crt ca.srl
-rw-r--r-- 1 muko muko 41 Jul 9 07:28 ca.srl
-rw-r--r-- 1 muko muko 2090 Jul 9 07:28 server.crt
Here, use the "-CAserial ca.srl" option at the second time and later to make sure all the serial numbers unique.
muko@mybsd:~/work1 % openssl x509 -CAcreateserial -CAserial ca.srl -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
muko@mybsd:~/work1 % openssl x509 -noout -serial -in server.crt
serial=47FDBD839DD97A0D3799A9C9DC38D762F6902443
3) I have the root cert and server cert. Now, I create the client certificate.
First, creates an encrypted RSA private key for client.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out client.pass.key 4096
muko@mybsd:~/work1 % ls -l client.pass.key
-rw------- 1 muko muko 3326 Jul 9 08:01 client.pass.key
Then, extract the RSA private key.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in client.pass.key -out client.key
muko@mybsd:~/work1 % ls -l client.key
-rw------- 1 muko muko 3247 Jul 9 08:02 client.key
Now, creates a certificate creation request for the client certificate.
muko@mybsd:~/work1 % openssl req -new -key client.key -out client.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:test section
Common Name (e.g. server FQDN or YOUR name) []:Test Client
Email Address []:
A challenge password []:
An optional company name []:
muko@mybsd:~/work1 % ls -l client.csr
-rw-r--r-- 1 muko muko 1716 Jul 9 08:06 client.csr
Finally, sign the client certificate with the CA Root.
muko@mybsd:~/work1 % openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -out client.crt
muko@mybsd:~/work1 % ls -l client.crt
-rw-r--r-- 1 muko muko 2029 Jul 9 08:08 client.crt
At the final step, I create a PKCS12 archive file to be installed into a client machine.
First, concatenates the client key, client certificate and root certificate into one file.
muko@mybsd:~/work1 % cat client.key client.crt ca.crt > client.pem
muko@mybsd:~/work1 % ls -l client.pem
-rw-r--r-- 1 muko muko 7508 Jul 9 08:12 client.pem
Then, creates a PKCS12 archive file (or pfx file) of the client certificate.
muko@mybsd:~/work1 % openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile ca.crt
Enter Export Password:
Verifying - Enter Export Password:
muko@mybsd:~/work1 % ls -l client.pfx
-rw------- 1 muko muko 7525 Jul 9 08:14 client.pfx
Check the pfx file.
% openssl pkcs12 -info -in client.pfx > tmp.txt
So, I practiced it with Openssl.
(Reference: https://mcilis.medium.com/how-to-create-a-self-signed-client-certificate-with-openssl-c4af9ac03e99)
Here are some notes.
Below, I create 1) a Root CA certificate, 2) a server certificate, and 3) a client certificate.
1) Start with creating root certificate.
First, create an encrypted RSA private key for the root certificate.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out ca.pass.key 4096
muko@mybsd:~/work1 % ls -l ca.pass.key
-rw------- 1 muko muko 3326 Jul 9 06:58 ca.pass.key
Next, extracts the RSA private key from the encrypted one above.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in ca.pass.key -out ca.key
muko@mybsd:~/work1 % ls -l ca.key
-rw------- 1 muko muko 3243 Jul 9 07:01 ca.key
Finally, creates the root certificate with the private key above.
muko@mybsd:~/work1 % openssl req -new -x509 -days 1095 -key ca.key -out ca.crt
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:Root Authority at mukoyama.org
Common Name (e.g. server FQDN or YOUR name) []:MukoyamaOrgRoot
Email Address []:hiroshi@mukoyama.org
muko@mybsd:~/work1 % ls -l ca.crt
-rw-r--r-- 1 muko muko 2232 Jul 9 07:07 ca.crt
Check the root certificate above.
muko@mybsd:~/work1 % openssl x509 -in ca.crt -noout -subject -dates
2) Now, I create the server certificate.
First, create an encrypted RSA private key for the server.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out server.pass.key 4096
muko@mybsd:~/work1 % ls -l server.pass.key
-rw------- 1 muko muko 3326 Jul 9 07:17 server.pass.key
Next, extracts the RSA private key from the encrypted one above.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in server.pass.key -out server.key
writing RSA key
muko@mybsd:~/work1 % ls -l server.key
-rw------- 1 muko muko 3247 Jul 9 07:18 server.key
Then, creates a certificate signing request for the server.
muko@mybsd:~/work1 % openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:Test Section
Common Name (e.g. server FQDN or YOUR name) []:test.mukoyama.org (your server name)
Email Address []:hiroshi@mukoyama.org
A challenge password []: (Blank)
An optional company name []: (Blank)
muko@mybsd:~/work1 % ls -l server.csr
-rw-r--r-- 1 muko muko 1777 Jul 9 07:22 server.csr
By the way, this command, "% openssl req -new -key server.pass.key -out server.csr", also works.
Finally, self-sign the server certificate.
muko@mybsd:~/work1 % openssl x509 -CAcreateserial -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
muko@mybsd:~/work1 % ls -l server.crt ca.srl
-rw-r--r-- 1 muko muko 41 Jul 9 07:28 ca.srl
-rw-r--r-- 1 muko muko 2090 Jul 9 07:28 server.crt
Here, use the "-CAserial ca.srl" option at the second time and later to make sure all the serial numbers unique.
muko@mybsd:~/work1 % openssl x509 -CAcreateserial -CAserial ca.srl -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -out server.crt
muko@mybsd:~/work1 % openssl x509 -noout -serial -in server.crt
serial=47FDBD839DD97A0D3799A9C9DC38D762F6902443
3) I have the root cert and server cert. Now, I create the client certificate.
First, creates an encrypted RSA private key for client.
muko@mybsd:~/work1 % openssl genrsa -aes256 -passout pass:mypassword -out client.pass.key 4096
muko@mybsd:~/work1 % ls -l client.pass.key
-rw------- 1 muko muko 3326 Jul 9 08:01 client.pass.key
Then, extract the RSA private key.
muko@mybsd:~/work1 % openssl rsa -passin pass:mypassword -in client.pass.key -out client.key
muko@mybsd:~/work1 % ls -l client.key
-rw------- 1 muko muko 3247 Jul 9 08:02 client.key
Now, creates a certificate creation request for the client certificate.
muko@mybsd:~/work1 % openssl req -new -key client.key -out client.csr
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Hawaii
Locality Name (eg, city) []:Honolulu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mukoyama.org
Organizational Unit Name (eg, section) []:test section
Common Name (e.g. server FQDN or YOUR name) []:Test Client
Email Address []:
A challenge password []:
An optional company name []:
muko@mybsd:~/work1 % ls -l client.csr
-rw-r--r-- 1 muko muko 1716 Jul 9 08:06 client.csr
Finally, sign the client certificate with the CA Root.
muko@mybsd:~/work1 % openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -out client.crt
muko@mybsd:~/work1 % ls -l client.crt
-rw-r--r-- 1 muko muko 2029 Jul 9 08:08 client.crt
At the final step, I create a PKCS12 archive file to be installed into a client machine.
First, concatenates the client key, client certificate and root certificate into one file.
muko@mybsd:~/work1 % cat client.key client.crt ca.crt > client.pem
muko@mybsd:~/work1 % ls -l client.pem
-rw-r--r-- 1 muko muko 7508 Jul 9 08:12 client.pem
Then, creates a PKCS12 archive file (or pfx file) of the client certificate.
muko@mybsd:~/work1 % openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile ca.crt
Enter Export Password:
Verifying - Enter Export Password:
muko@mybsd:~/work1 % ls -l client.pfx
-rw------- 1 muko muko 7525 Jul 9 08:14 client.pfx
Check the pfx file.
% openssl pkcs12 -info -in client.pfx > tmp.txt
2023/07/07
Update SSL Certificate with Dovecot
I have just updated the SSL certificates on the Dovecot server.
Here are some notes.
I had my private key file.
a) your_mailserver_com.key
The purchased and downloaded zip file from GoDaddy included three files.
b) 1940e7249efa77a6.crt
c) 1940e7249efa77a6.pem
d) gd_bundle-g2-g1.crt
After creating a full chain certificate from b) and d) above, I replaced the current files.
The location of them are written in /etc/dovecot/conf.d/10-ssl.conf.
# grep -e "ssl_key =" -e "ssl_cert =" /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/dovecot/my_mailserver_com.pem
ssl_key = </etc/dovecot/my_mailserver_com.key
You might need to adjust the permissions of them.
# ls -l /etc/dovecot/mail_hishawaii_com.pem
-rw-r--r-- 1 root root 7153 Jul 6 12:40 /etc/dovecot/my_mailserver_com.pem
# ls -l /etc/dovecot/mail_hishawaii_com.key
-rw-r--r-- 1 root root 1704 Aug 24 2022 /etc/dovecot/my_mailserver_com.key
Finally, I restarted the Dovecot service.
# systemctl restart dovecot
By the way, on my old email server, the ssl configuration file is locatited in a different location.
# grep -e "ssl_key =" -e "ssl_cert =" /usr/local/dovecot/etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
Then, the restart command is "$ dovecotctl restart" on that server.
Here are some notes.
I had my private key file.
a) your_mailserver_com.key
The purchased and downloaded zip file from GoDaddy included three files.
b) 1940e7249efa77a6.crt
c) 1940e7249efa77a6.pem
d) gd_bundle-g2-g1.crt
After creating a full chain certificate from b) and d) above, I replaced the current files.
The location of them are written in /etc/dovecot/conf.d/10-ssl.conf.
# grep -e "ssl_key =" -e "ssl_cert =" /etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/dovecot/my_mailserver_com.pem
ssl_key = </etc/dovecot/my_mailserver_com.key
You might need to adjust the permissions of them.
# ls -l /etc/dovecot/mail_hishawaii_com.pem
-rw-r--r-- 1 root root 7153 Jul 6 12:40 /etc/dovecot/my_mailserver_com.pem
# ls -l /etc/dovecot/mail_hishawaii_com.key
-rw-r--r-- 1 root root 1704 Aug 24 2022 /etc/dovecot/my_mailserver_com.key
Finally, I restarted the Dovecot service.
# systemctl restart dovecot
By the way, on my old email server, the ssl configuration file is locatited in a different location.
# grep -e "ssl_key =" -e "ssl_cert =" /usr/local/dovecot/etc/dovecot/conf.d/10-ssl.conf
ssl_cert = </etc/ssl/certs/dovecot.pem
ssl_key = </etc/ssl/private/dovecot.pem
Then, the restart command is "$ dovecotctl restart" on that server.
2023/07/06
Update SSL Certificate with Postfix
I have just updated the SSL certificates on the Postfix mail server.
Here are some notes.
You should have your private key file.
a) your_mailserver_com.key
I purchased the certificate from GoDaddy.
The downloaded zipped file included three files.
b) 1940e7249efa77a6.crt
c) 1940e7249efa77a6.pem
d) gd_bundle-g2-g1.crt
Next, you created the full chain pem file from b) and d) above.
Then, you replace the existing private key and the full chain certificate.
By the way, always create backup copies of the current files before replacing them.
Here, the location of target files is written in /etc/postfix/main.cf.
# grep key_file main.cf
smtpd_tls_key_file = /etc/postfix/my_mailserver_com.key
# ls -l /etc/postfix/mail_hishawaii_com.key
-rw-r--r-- 1 root root 1704 Aug 24 2022 /etc/postfix/my_mailserver_com.key
# grep cert_file main.cf
smtpd_tls_cert_file = /etc/postfix/my_mailserver_com.pem
# ls -l /etc/postfix/mail_hishawaii_com.pem
-rw-r--r-- 1 root root 7153 Aug 24 2022 /etc/postfix/my_mailserver_com.pem
Finally, you restart Postfix service.
# postfix check
# systemctl restart postfix
Here are some notes.
You should have your private key file.
a) your_mailserver_com.key
I purchased the certificate from GoDaddy.
The downloaded zipped file included three files.
b) 1940e7249efa77a6.crt
c) 1940e7249efa77a6.pem
d) gd_bundle-g2-g1.crt
Next, you created the full chain pem file from b) and d) above.
Then, you replace the existing private key and the full chain certificate.
By the way, always create backup copies of the current files before replacing them.
Here, the location of target files is written in /etc/postfix/main.cf.
# grep key_file main.cf
smtpd_tls_key_file = /etc/postfix/my_mailserver_com.key
# ls -l /etc/postfix/mail_hishawaii_com.key
-rw-r--r-- 1 root root 1704 Aug 24 2022 /etc/postfix/my_mailserver_com.key
# grep cert_file main.cf
smtpd_tls_cert_file = /etc/postfix/my_mailserver_com.pem
# ls -l /etc/postfix/mail_hishawaii_com.pem
-rw-r--r-- 1 root root 7153 Aug 24 2022 /etc/postfix/my_mailserver_com.pem
Finally, you restart Postfix service.
# postfix check
# systemctl restart postfix
2023/07/05
Submit CSR
I purchased the SSL certificates to install them onto email servers.
Here are some notes.
First, you create the RSA private key.
$ openssl genrsa -out your_mailserver_com.key 2048
To bypass the pass phrase requirement, omit the -des3 option when generating the private key.
Then, you generate CSR.
$ openssl req -new -key your_mailserver_com.key -out your_mailserver_com.csr
Skip "challenge password", and "optional company name".
Submit CSR to the service provider.
Here are some notes.
First, you create the RSA private key.
$ openssl genrsa -out your_mailserver_com.key 2048
To bypass the pass phrase requirement, omit the -des3 option when generating the private key.
Then, you generate CSR.
$ openssl req -new -key your_mailserver_com.key -out your_mailserver_com.csr
Skip "challenge password", and "optional company name".
Submit CSR to the service provider.
2023/07/04
Qmail SSL Certificate Updates
One of my email servers still uses Qmail.
Here are some notes on updating the SSL certificate with Qmail.
I purchased the certificates from Network Solutions.
First, you should have your private key file.
a) your_mailserver_com.key
The downloaded zipped file contained three files.
b) YOUR.MAILSERVER.COM.crt (server cert)
c) DV_NetworkSolutionsDVServerCA2.crt (intermediate or chain cert)
d) DV_USERTrustRSACertificationAuthority.crt (root cert?)
You concatenate all the four files above into one fine and change its suffix to "pem".
$ cat your_mailserver_com.key YOUR.MAILSERVER.COM.crt DV_NetworkSolutionsDVServerCA2.crt DV_USERTrustRSACertificationAuthority.crt > temp.pem
The pem file should look like below.
-----BEGIN RSA PRIVATE KEY-----
(private key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(server cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root cert)
-----END CERTIFICATE-----
Then, you replace new pem file with old one.
The locaion of the Qmail certificate file is /var/qmail/control/.
muko@mail:~$ ls -l /var/qmail/control/servercert.pem
-rw-r----- 1 vpopmail vchkpw 8274 Apr 14 14:10 /var/qmail/control/servercert.pem
Make sure the owner and permissions of the file.
Finally, restart the Qmail service.
$ qmailctl restart
By the way, according to some web pages, man qmail-smtpd suggests that servercert.pem "Should contain both the certificate and the private key. Certifying Authority (CA) and intermediate certificates can be added at the end of the file."
Here are some notes on updating the SSL certificate with Qmail.
I purchased the certificates from Network Solutions.
First, you should have your private key file.
a) your_mailserver_com.key
The downloaded zipped file contained three files.
b) YOUR.MAILSERVER.COM.crt (server cert)
c) DV_NetworkSolutionsDVServerCA2.crt (intermediate or chain cert)
d) DV_USERTrustRSACertificationAuthority.crt (root cert?)
You concatenate all the four files above into one fine and change its suffix to "pem".
$ cat your_mailserver_com.key YOUR.MAILSERVER.COM.crt DV_NetworkSolutionsDVServerCA2.crt DV_USERTrustRSACertificationAuthority.crt > temp.pem
The pem file should look like below.
-----BEGIN RSA PRIVATE KEY-----
(private key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(server cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root cert)
-----END CERTIFICATE-----
Then, you replace new pem file with old one.
The locaion of the Qmail certificate file is /var/qmail/control/.
muko@mail:~$ ls -l /var/qmail/control/servercert.pem
-rw-r----- 1 vpopmail vchkpw 8274 Apr 14 14:10 /var/qmail/control/servercert.pem
Make sure the owner and permissions of the file.
Finally, restart the Qmail service.
$ qmailctl restart
In my case, the qmail-showctl command tells "servercert.pem: I have no idea what this file does."
Also, the file /var/qmail/supervise/qmail-smtpd/run did not specify the cert files.
However, the file /usr/local/src/netqmail-1.06/Makefile-cert looks like making servercert.pem, so I think my Qmail uses servercert.pem (, and clientcert.pem is a symbolic link to servercet.pem).
Check SSL Certificates Using Openssl
I downloaded the server certificates from GoDaddy, which was used for a mail server running Postfix and Dovecot.
Here are some notes.The downloaded zip file contained three files:
a) d29733cc9c571769.crt
b) d29733cc9c571769.pem
c) gd_bundle-g2-g1.crt
You can check if the certificate is paired with your private key.
$ openssl rsa -noout -modulus -in your_private.key | openssl md5
$ openssl x509 -noout -modulus -in d29733cc9c571769.crt | openssl md5
The outputs of above two commands should be the same.
Also, you can check if the public key in the purchased certificate is the same with one which is generated from your private key.
$ openssl rsa -in yourprivate.key -pubout
$ openssl x509 -in d29733cc9c571769.crt -noout -pubkey
$ openssl rsa -in yourprivate.key -pubout
$ openssl x509 -in d29733cc9c571769.crt -noout -pubkey
You might also want to check the chain between the server and intermediate certificates.
$ openssl verify -CAfile gd_bundle-g2-g1.crt d29733cc9c571769.crt
$ openssl verify -CAfile gd_bundle-g2-g1.crt d29733cc9c571769.crt
You want to check the valid date.
$ openssl x509 -noout -in d29733cc9c571769.crt -dates
$ openssl x509 -noout -in d29733cc9c571769.crt -dates
Then, you create a pem file from d29733cc9c571769.crt and gd_bundle-g2-g1.crt.
$ cat d29733cc9c571769.crt gd_bundle-g2-g1.crt > tmp.pem
You can check the order of certificates in the pem file.
$ openssl crl2pkcs7 -nocrl -certfile tmp.pem | openssl pkcs7 -print_certs -noout
You see pairs of subject and issuer lines.
$ cat d29733cc9c571769.crt gd_bundle-g2-g1.crt > tmp.pem
You can check the order of certificates in the pem file.
$ openssl crl2pkcs7 -nocrl -certfile tmp.pem | openssl pkcs7 -print_certs -noout
You see pairs of subject and issuer lines.
An issuer must be the same with the subject following.
The last line should be the root CA.
The last line should be the root CA.
Also, you can check if the PEM format is correct.
$ openssl x509 -inform PEM -in tmp.pem -text
After installing new certificates onto the server and restarting the services, you see the valid date is updated.
% echo -n Q | openssl s_client -servername my_mailserver.com -connect my_mailserver.com:587 -starttls smtp | openssl x509 -noout -dates
% echo -n Q | openssl s_client -servername my_mailserver.com -connect my_mailserver.com:25 -starttls smtp | openssl x509 -noout -dates
% openssl s_client -showcerts -servername my_mailserver.com -connect my_mailserver.com:995 | openssl x509 -noout -dates
% openssl s_client -showcerts -servername my_mailserver.com -connect my_mailserver.com:993 | openssl x509 -noout -dates
% echo -n Q | openssl s_client -servername my_webserver.com -connect my_webserver.com:443 | openssl x509 -noout -dates
登録:
コメント (Atom)