To Howto wyjaśnia jak utworzyć własny Certyfikat Autoryzacji SSL i zabezpieczyć kilka usług (Apache, Courier, Postfix, ProFTPD).
[Thanks for the SSL-CA-Part goes to http://fra.nksteidl.de/Erinnerungen/OpenSSL.php]
Po pierwsze musisz zainstalować paczkę openssl :
apt-get install openssl
Then, the openssl config file /etc/ssl/openssl.cnf has to be edited like this (I assume, your CA name is „RootCA”… you can change this name if you want to):
Linia 32: default_ca = RootCA
Linia 35: [ RootCA ]
Linia 37: dir = /root/RootCA
Linia 41: unique_subject = no # only if you need this
Linia 70: default_md = md5
If you want to, you can change the values in the section [req_destinquished_name] to your language, which would be in german:
[ req_distinguished_name ]
countryName = Kraj (2literowy kod)
countryName_default = PL
countryName_min = 2
countryName_max = 2
stateOrProvinceName = Województwo (Nazwa województwa)
stateOrProvinceName_default = MojeWojewództwo
localityName = Miasto
localityName_default = MojeMiasto
0.organizationName = Nazwa Firmy/Organizacji
0.organizationName_default = MojaFirma
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = DziałFirmy
#organizationalUnitName_default =
commonName = Common Name (np. TWOJE imię lub DomenaSerwera.pl)
commonName_max = 64
emailAddress = Adres Email
emailAddress_max = 64
Now you have to create the directories and files you specified in the openssl.cnf:
mkdir /root/RootCA # or whatever your CA-Name / directory is
cd /root/RootCA
mkdir newcerts certs crl private
touch index.txt
# Serialnr starts with 01
echo "01" > serial
You need to install the package sharutils to be able to use the uuencode program.
cat /dev/urandom | uuencode -m bla | head -19 | sed "s/begin.*//g"\
| tail -18 | xargs | sed "s/ //g" > /root/RootCA/private/.rand
chmod 770 /root/RootCA/private/.rand
ls -alh /root/RootCA/private/.rand
Now we can create our CA certificate…
Generate the key. You should use a very strong passphrase for this key - it has to be secure for the next few years!
openssl genrsa -aes256 -out private/RootCA.key.pem -rand private/.rand 2048
Generate the certificate:
openssl req -new -x509 -days 1827 -key private/RootCA.key.pem -out RootCA.cert.pem
(-days 1827 generates a certificate which is valid for 5 years)
Check if the certificate-data is alright:
openssl x509 -in RootCA.cert.pem -text | less
Copy the certificate and the private key to the locations specified in the openssl.cnf:
cp /root/RootCA/RootCA.cert.pem /root/RootCA/cacert.pem
cp /root/RootCA/private/RootCA.key.pem /root/RootCA/private/cakey.pem
Put the certificate under the control of the CA. Therefore it has to be copied with its serialnumber as filename into the directory certs and linked there with its hash-value:
cd /root/RootCA
cp RootCA.cert.pem /root/RootCA/certs/00.pem
cd /root/RootCA/certs/
ln -s 00.pem `openssl x509 -hash -noout -in 00.pem`.0
Now the CA is initialized and you can distribute its certificate. To do so, rename the .cert.pem-file as .crt-file, copy it in a place reachable via the internet and make it accessible by everybody:
cp /root/RootCA/RootCA.cert.pem /var/www/virtual/yourdomain.com/htdocs/RootCA.crt
chmod 444 /var/www/virtual/yourdomain.com/htdocs/RootCA.crt
Now it's time to import the certificate into your browser. Therefore, just surf to http://yourdomain.com/RootCA.crt
All server certificates are created the same way. They shouldn't have a passphrase because you don't want to enter this passphrase everytime you start your apache or another server. Disabling the passphrase is done by omitting the encryption-algorithm when creating the private key.
cd /root/RootCA
openssl genrsa -out server.key.pem -rand private/.rand 2048 # Generate the key
openssl req -new -key server.key.pem -out server.req.pem # Generate the certificate request
openssl ca -name RootCA -in server.req.pem -out server.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase)
Move the certificate into the certs-directory and link it with its hash-value:
mv newcerts/01.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course)
cd certs
ln -s 01.pem `openssl x509 -hash -noout -in 01.pem`.0
I suppose to save the originial certificate-files into a subdirectory called server:
mkdir /root/RootCA/server
mv server.*.pem server/
Generate a server certificate as described under 2.1 (choose apache.key.pem, apache.req.pem and apache.cert.pem as filenames).
cd /root/RootCA
openssl genrsa -out apache.key.pem -rand private/.rand 2048 # Generate the key
openssl req -new -key apache.key.pem -out server.req.pem # Generate the certificate request
openssl ca -name RootCA -in apache.req.pem -out apache.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase)
Move the certificate into the certs-directory and link it with its hash-value:
mv newcerts/02.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course)
cd certs
ln -s 02.pem `openssl x509 -hash -noout -in 02.pem`.0
I suppose to save the originial certificate-files into a subdirectory called apache:
mkdir /root/RootCA/apache
cd ..
mv apache.*.pem apache/
When generating the apache.req.pem, enter this:
Organizational Unit Name []:Apache Webserver
Common Name (eg, YOUR name) []:yourdomain.com
It is important to enter the domain name under which you want to reach ispCP, because otherwise you get a domain mismatch error when connecting via ssl.
After you've generated the certificate, change the following settings in /etc/apache2/mods-available/ssl.conf (replace 512 with 2048):
SSLRandomSeed startup /dev/urandom 2048
SSLRandomSeed connect /dev/urandom 2048
Then copy the certificate files (with secure file permissions):
cp apache.cert.pem apache.key.pem /etc/apache2/ssl
chmod 400 /etc/apache2/ssl/apache.cert.pem /etc/apache2/ssl/apache.key.pem
Tell apache to listen on the ssl-port (443) - therefore add
Listen 443
to the file /etc/apache2/ports.conf and enable mod_ssl:
a2enmod ssl
As last step you have to add a new VirtualHost, which listens on port 443 and has the SSL engine enabled:
cp /etc/apache2/sites-available/00_master.conf /etc/apache2/sites-available/01_ssl_master.conf
Change the 01_ssl_master.conf file like this:
#
# SSL Master Begin
#
<VirtualHost xxx.xxx.xxx.xxx:443>
#
# SSL Start
#
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.cert.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key.pem
#
# SSL End
#
ServerAdmin admin@yourdomain.com
DocumentRoot /var/www/ispcp/gui
ServerName yourdomain.com
ErrorLog /var/log/apache2/users/ssl.yourdomain.com-error.log
TransferLog /var/log/apache2/users/ssl.yourdomain.com-access.log
CustomLog /var/log/apache2/ssl.yourdomain.com-traf.log traff
CustomLog /var/log/apache2/ssl.yourdomain.com-combined.log combined
#
# ... below here, nothing has to be changed
#
</VirtualHost>
#
# SSL Master End
#
Enable the ssl site:
a2ensite 01_ssl_master.conf
Now reload the apache server:
/etc/init.d/apache2 reload
and you're done!
Open your browser and enter https://yourdomain.com and you should see the ispCP login - SSL encrypted. (By the way, phpMyAdmin and the Webmail interface are now also encrypted)
At first, you have to install the ssl-packages for courier:
apt-get install courier-imap-ssl courier-pop-ssl
Now you can generate the server certificate as described under 2.1 (choose courier.key.pem, courier.req.pem and courier.cert.pem as filenames). When generating the courier.req.pem, enter this:
Organizational Unit Name []:Courier Mailserver
Common Name (eg, YOUR name) []:mail.yourdomain.com
cd /root/RootCA
openssl genrsa -out courier.key.pem -rand private/.rand 2048 # Generate the key
openssl req -new -key courier.key.pem -out server.req.pem # Generate the certificate request
openssl ca -name RootCA -in courier.req.pem -out courier.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase)
Move the certificate into the certs-directory and link it with its hash-value:
mv newcerts/03.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course)
cd certs
ln -s 03.pem `openssl x509 -hash -noout -in 03.pem`.0
I suppose to save the originial certificate-files into a subdirectory called courier:
mkdir /root/RootCA/courier
cd ..
mv courier.*.pem courier/
The courier server needs the cert and the key-file together in one file:
cd /root/RootCA/server
cat courier.cert.pem courier.key.pem > courier.pem
Put the Certificates under /etc/courier:
cd /etc/courier
cp /root/RootCA/courier/courier.pem .
chmod 400 courier.pem
ln -s courier.pem imapd.pem
ln -s courier.pem pop3d.pem
Now you can restart the courier-ssl servers:
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart
and SSL is working for your IMAP and POP3-Server!
Generate the server certificate as described under 2.1 (choose proftpd.key.pem, proftpd.req.pem and proftpd.cert.pem as filenames). When generating the proftpd.req.pem, enter this:
Organizational Unit Name []:ProFTPD FTP-Server
Common Name (eg, YOUR name) []:ftp.yourdomain.com
cd /root/RootCA
openssl genrsa -out proftpd.key.pem -rand private/.rand 2048 # Generate the key
openssl req -new -key proftpd.key.pem -out proftpd.req.pem # Generate the certificate request
openssl ca -name RootCA -in proftpd.req.pem -out proftpd.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase)
Move the certificate into the certs-directory and link it with its hash-value:
mv newcerts/04.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course)
cd certs
ln -s 04.pem `openssl x509 -hash -noout -in 04.pem`.0
I suppose to save the originial certificate-files into a subdirectory called proftpd:
mkdir /root/RootCA/proftpd
cd ..
mv proftpd.*.pem proftpd/
Copy the files in /etc/proftpd:
cd /etc/proftpd
cp /root/RootCA/proftpd/proftpd.cert.pem /root/RootCA/proftpd/proftpd.key.pem .
chmod 400 proftpd.cert.pem proftpd.key.pem
Activate TLS in /etc/proftpd.conf (uncomment these lines):
#
# SSL via TLS
#
<IfModule mod_tls.c>
TLSEngine on # on for use of TLS
TLSLog /var/log/proftpd/ftp_ssl.log # where to log to
TLSProtocol SSLv23 # SSLv23 or TLSv1
TLSOptions NoCertRequest # either to request the certificate or not
TLSRSACertificateFile /etc/proftpd/proftpd.cert.pem # SSL certfile
TLSRSACertificateKeyFile /etc/proftpd/proftpd.key.pem # SSL keyfile
TLSVerifyClient off # client verification
</IfModule>
Restart ProFTPD:
/etc/init.d/proftpd restart
That's all! Now you can connect to ftp.yourdomain.com via FTP with explicit TLS/SSL.
Generate the server certificate as described under 2.1 (choose postfix.key.pem, postfix.req.pem and postfix.cert.pem as filenames). When generating the postfix.req.pem, enter this:
Organizational Unit Name []:Postfix Mailserver
Common Name (eg, YOUR name) []:mail.yourdomain.com
cd /root/RootCA
openssl genrsa -out postfix.key.pem -rand private/.rand 2048 # Generate the key
openssl req -new -key postfix.key.pem -out postfix.req.pem # Generate the certificate request
openssl ca -name RootCA -in postfix.req.pem -out postfix.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase)
Move the certificate into the certs-directory and link it with its hash-value:
mv newcerts/05.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course)
cd certs
ln -s 05.pem `openssl x509 -hash -noout -in 05.pem`.0
I suppose to save the originial certificate-files into a subdirectory called postfix:
mkdir /root/RootCA/postfix
cd ..
mv postfix.*.pem postfix/
Copy the files in /etc/postfix:
cd /etc/postfix
cp /root/RootCA/postfix/postfix.cert.pem /root/RootCA/postfix/postfix.key.pem .
chmod 400 postfix.cert.pem postfix.key.pem
Activate TLS/SSL in /etc/postfix/main.cf (uncomment these lines):
smtpd_tls_loglevel = 2
smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file = /etc/postfix/postfix.key.pem
smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_received_header = yes
Restart postfix:
/etc/init.d/postfix restart
And another one… You can now send your emails over an SSL-encrypted connection.
Now you have configured your webserver (for ispCP), your mailservers and your ftp-server to use a ssl-encrypted connection.
Don't forget to distribute the CA-Certificate (it's accessible via http://yourdomain.com/RootCA.crt, isn't it?) to the people who access your server, so that they don't have to accept each single server certificate.