
SSL Certificates

   So called SSL/TLS certificates are cryptographic public key certificates and are composed
   of a public and a private key. The certificates are used to authenticate the endpoints and
   encrypt the data. They are used for example on a web server (https) or mail server (imaps).

Procedure

     * We need a certificate authority to sign our certificate. This step is usually provided
       by a vendor like Thawte, Verisign, etc., however we can also create our own.
     * Create a certificate signing request. This request is like an unsigned certificate (the
       public part) and already contains all necessary information. The certificate request is
       normally sent to the authority vendor for signing. This step also creates the private
       key on the local machine.
     * Sign the certificate with the certificate authority.
     * If necessary join the certificate and the key in a single file to be used by the
       application (web server, mail server etc.).

Configure OpenSSL

   We use /usr/local/certs as directory for this example check or edit /etc/ssl/openssl.cnf
   accordingly to your settings so you know where the files will be created. Here are the
   relevant part of openssl.cnf:
[ CA_default ]
dir             = /usr/local/certs/CA       # Where everything is kept
certs           = $dir/certs                # Where the issued certs are kept
crl_dir         = $dir/crl                  # Where the issued crl are kept
database        = $dir/index.txt            # database index file.

   Make sure the directories exist or create them
# mkdir -p /usr/local/certs/CA
# cd /usr/local/certs/CA
# mkdir certs crl newcerts private
# echo "01" > serial                        # Only if serial does not exist
# touch index.txt

   If you intend to get a signed certificate from a vendor, you only need a certificate
   signing request (CSR). This CSR will then be signed by the vendor for a limited time (e.g.
   1 year).

Create a certificate authority

   If you do not have a certificate authority from a vendor, you'll have to create your own.
   This step is not necessary if one intend to use a vendor to sign the request. To make a
   certificate authority (CA):
# openssl req -new -x509 -days 730 -config /etc/ssl/openssl.cnf \
-keyout CA/private/cakey.pem -out CA/cacert.pem

Create a certificate signing request

   To make a new certificate (for mail server or web server for example), first create a
   request certificate with its private key. If your application do not support encrypted
   private key (for example UW-IMAP does not), then disable encryption with -nodes.
# openssl req -new -keyout newkey.pem -out newreq.pem \
-config /etc/ssl/openssl.cnf
# openssl req -nodes -new -keyout newkey.pem -out newreq.pem \
-config /etc/ssl/openssl.cnf                # No encryption for the key

   Keep this created CSR (newreq.pem) as it can be signed again at the next renewal, the
   signature onlt will limit the validity of the certificate. This process also created the
   private key newkey.pem.

Sign the certificate

   The certificate request has to be signed by the CA to be valid, this step is usually done
   by the vendor. Note: replace "servername" with the name of your server in the next
   commands.
# cat newreq.pem newkey.pem > new.pem
# openssl ca -policy policy_anything -out servernamecert.pem \
-config /etc/ssl/openssl.cnf -infiles new.pem
# mv newkey.pem servernamekey.pem

   Now servernamekey.pem is the private key and servernamecert.pem is the server certificate.

Create united certificate

   The IMAP server wants to have both private key and server certificate in the same file. And
   in general, this is also easier to handle, but the file has to be kept securely!. Apache
   also can deal with it well. Create a file servername.pem containing both the certificate
   and key.
     * Open the private key (servernamekey.pem) with a text editor and copy the private key
       into the "servername.pem" file.
     * Do the same with the server certificate (servernamecert.pem).

   The final servername.pem file should look like this:
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDutWy+o/XZ/[...]qK5LqQgT3c9dU6fcR+WuSs6aejdEDDqBRQ
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIERzCCA7CgAwIBAgIBBDANB[...]iG9w0BAQQFADCBxTELMAkGA1UEBhMCREUx
-----END CERTIFICATE-----

   What we have now in the directory /usr/local/certs/:
     * CA/private/cakey.pem (CA server private key)
     * CA/cacert.pem (CA server public key)
     * certs/servernamekey.pem (server private key)
     * certs/servernamecert.pem (server signed certificate)
     * certs/servername.pem (server certificate with private key)

   Keep the private key secure!

View certificate information

   To view the certificate information simply do:
# openssl x509 -text -in servernamecert.pem      # View the certificate info
# openssl req -noout -text -in server.csr        # View the request info
# openssl s_client -connect cb.vu:443            # Check a web server certificate