Today's topic: SSL Certificates
-------------------------------

markus schnalke <meillo@marmaro.de>, 2013-03-21
Updated: 2018-08-21


Steps I took:

1) Set the umask to keep the files private:

	oldmask=`umask`
	umask 377

2) Create a key:

	cd /etc/ssl

	openssl genrsa -out private/priv.key 4096

3) Create a certificate signing request (CSR):

	openssl req -new -subj /CN=marmaro.de -key private/priv.key >my-csr/cert.csr

I created one CSR/certificate for each domain on the server and one
wildcard domain CSR/certificate for all subdomains of each domain.
I couldn't get subjectAltName or SNI working.

4) Verify the CSR:

	openssl req -noout -text <my-csr/cert.csr

5) Upload the CSR on CAcert.org in order to receive a certificate

	 ----
	If you like to create a self-signed certificate instead, use:

		openssl x509 -req -days 365 -signkey priv.key <my-csr/cert.csr >my-certs/cert.crt
		openssl x509 -noout -text <my-certs/cert.cst
	 ----

6) Store the generated certificate to e.g. marmaro.de.crt

7) Create a PEM file:

	cat priv.key marmaro.de.crt >marmaro.de.pem

This combined PEM file is what most daemons need. Note that it
contains the private key and thus must be kept private.

8) Reset the umask:

	umask $oldmask

9) Configure your daemons


Qpsmtpd:

I needed to adjust the `tls' directive in /etc/qpsmtpd/plugins to:

	tls /etc/ssl/star.marmaro.de.cacert \
		/etc/ssl/priv.key /etc/ssl/cacert-class3.crt

First, the cerfiticate, then the private key, then the CAcert Class 3
certificate because it's a chained certificate.

Ensure the files are readable by qpsmptd. Restart the daemon and
check the logs.


Lighttpd:

	$SERVER["socket"] == ":443" {
		ssl.engine = "enable" 
		ssl.pemfile = "/etc/ssl/marmaro.de.pem" 
		ssl.ca-file = "/etc/ssl/cacert-class3.crt"
	}

	$HTTP["host"] =~ "\.marmaro\.de$" {
		ssl.pemfile = "/etc/ssl/star.marmaro.de.pem"
	}

The first part enables SSL on port 443 and defines the default
certificate and the chain file. (The PEM file includes the
certificate and the private key.)

the second part defines a different certificate for the
subdomains. Further such parts are added for further domains and
their subdomains.

Ensure the files are readable by lighttpd. Restart the daemon and
check the logs.


UW IMAP:

	( umask 377; cd /etc/ssl
	cat star.marmaro.de.pem priv.key cacert-class3.crt \
		>/etc/ssl/certs/imapd.pem )

Ensure the files are readable by the relevant user.
Restart imapd if necessary and check the logs (mail.log).



Finally: Install an at job to remind you to exchange the
certificates before they expire:

	at now + 50 weeks
	mail -s "renew SSL certs" meillo
	Please renew the SSL certificates.
	^D

Actually this is not necessary, as Cacert sends renewal reminders.



To update:

- Renew certificates on cacert.org
- Copy new certs into /etc/ssl/my-certs/*
- Run script update-certs (self-written)



Useful Literature:

http://www.lwithers.me.uk/articles/cacert.html
http://blog.leo34.net/2007/06/ssl-mit-cacert-und-lighttpd/
http://redmine.lighttpd.net/projects/1/wiki/Docs_SSL
http://www2.tblein.eu/posts/Installation_of_a_CAcert_certificate_for_lighttpd/
http://wiki.cacert.org/FAQ/subjectAltName
http://wiki.cacert.org/VhostTaskForce