Today's topic: SSL Certificates ------------------------------- markus schnalke , 2013-03-21 Updated: 2018-08-21 Steps I took: 1) Set the umask to keep the files private: oldmask=`umask` umask 377 2) Create a key: cd /etc/ssl openssl genrsa -out private/priv.key 4096 3) Create a certificate signing request (CSR): openssl req -new -subj /CN=marmaro.de -key private/priv.key >my-csr/cert.csr I created one CSR/certificate for each domain on the server and one wildcard domain CSR/certificate for all subdomains of each domain. I couldn't get subjectAltName or SNI working. 4) Verify the CSR: openssl req -noout -text my-certs/cert.crt openssl x509 -noout -text marmaro.de.pem This combined PEM file is what most daemons need. Note that it contains the private key and thus must be kept private. 8) Reset the umask: umask $oldmask 9) Configure your daemons Qpsmtpd: I needed to adjust the `tls' directive in /etc/qpsmtpd/plugins to: tls /etc/ssl/star.marmaro.de.cacert \ /etc/ssl/priv.key /etc/ssl/cacert-class3.crt First, the cerfiticate, then the private key, then the CAcert Class 3 certificate because it's a chained certificate. Ensure the files are readable by qpsmptd. Restart the daemon and check the logs. Lighttpd: $SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/marmaro.de.pem" ssl.ca-file = "/etc/ssl/cacert-class3.crt" } $HTTP["host"] =~ "\.marmaro\.de$" { ssl.pemfile = "/etc/ssl/star.marmaro.de.pem" } The first part enables SSL on port 443 and defines the default certificate and the chain file. (The PEM file includes the certificate and the private key.) the second part defines a different certificate for the subdomains. Further such parts are added for further domains and their subdomains. Ensure the files are readable by lighttpd. Restart the daemon and check the logs. UW IMAP: ( umask 377; cd /etc/ssl cat star.marmaro.de.pem priv.key cacert-class3.crt \ >/etc/ssl/certs/imapd.pem ) Ensure the files are readable by the relevant user. Restart imapd if necessary and check the logs (mail.log). Finally: Install an at job to remind you to exchange the certificates before they expire: at now + 50 weeks mail -s "renew SSL certs" meillo Please renew the SSL certificates. ^D Actually this is not necessary, as Cacert sends renewal reminders. To update: - Renew certificates on cacert.org - Copy new certs into /etc/ssl/my-certs/* - Run script update-certs (self-written) Useful Literature: http://www.lwithers.me.uk/articles/cacert.html http://blog.leo34.net/2007/06/ssl-mit-cacert-und-lighttpd/ http://redmine.lighttpd.net/projects/1/wiki/Docs_SSL http://www2.tblein.eu/posts/Installation_of_a_CAcert_certificate_for_lighttpd/ http://wiki.cacert.org/FAQ/subjectAltName http://wiki.cacert.org/VhostTaskForce