Postfix/TLS - Lutz's very short course on being your own CA

This section is kept quite short as there are already a lot of pages explaining these things (e.g. [INTROCERT]). There are also projects under way to make this task easier [OPENCA], so I wont't waste your time (and mine) by writing a book about it.

Be your own CA

If you want to do relaying based on client certificates you may want to issue your own client certificates; hence you want to be your own certificate authority (CA). Of course nobody else will accept your certificates, so the damage you do is not so high (the requirements for a good "professional" CA are very high, as you should have the CA key on a private host without network for security, be strict about checking the identity of requesters etc).

Using OpenSSL it is quite simple to become your own CA. Just run

CA.pl -newca

and you are done. Just make sure, that you select a useful CN (Common Name)! By just using your name, you might create a lot of confusion, as the CA certificate for "Lutz Jaenicke" looks quite the same as the personal client certificate for "Lutz Jaenicke" (I can tell you). Of course you can further improve this private CA by editing the openssl.cnf file, especially the comment.

If you want the full comfort of being your own CA, you must import your CA certificate to Netscape. Unfortunately Netscape does not offer an explicit function to perform this task (unlike for client certificates). If you have an http-server available (and I think you do), you can add the loadCAcert.pl script to your cgi-bin directory. If you call it from Netscape (or Internet Explorer), you can load the certificate! (Taken from [6])

Create your site certificate

Ok, you now must create a site certificate for your postfix server. As your clients will use it for verification, it must contain the name of your host as common name (CN): host.in.domain.

You want your postfix system to start up boot time without trouble? Then your server private key must not be encrypted. So when you create the key you must add the -nodes option in CA.pl to the line with the -newcert and/or -newreq command:

*** CA.pl	Wed Mar 24 10:30:38 1999
--- CA1.pl	Sat Mar 27 19:36:47 1999
***************
*** 56,67 ****
  	    exit 0;
  	} elsif (/^-newcert$/) {
  	    # create a certificate
! 	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
  	    $RET=$?;
  	    print "Certificate (and private key) is in newreq.pem\n"
  	} elsif (/^-newreq$/) {
  	    # create a certificate request
! 	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
  	    $RET=$?;
  	    print "Request (and private key) is in newreq.pem\n";
  	} elsif (/^-newca$/) {
--- 56,67 ----
  	    exit 0;
  	} elsif (/^-newcert$/) {
  	    # create a certificate
! 	    system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS");
  	    $RET=$?;
  	    print "Certificate (and private key) is in newreq.pem\n"
  	} elsif (/^-newreq$/) {
  	    # create a certificate request
! 	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
  	    $RET=$?;
  	    print "Request (and private key) is in newreq.pem\n";
  	} elsif (/^-newca$/) {

For sslwrap or stunnel the authors propose to use self signed certs created with -newcert. I rather propose to create an ordinary certificate request with

CA.pl -newreq

and then sign it with your CA:

CA.pl -sign

Now you can install the cert from cacert.pem to /etc/postfix/CAcert.pem, the created certificate from newcert.pem to /etc/postfix/cert.pem and the key part form newreq.pem to /etc/postfix/key.pem. Please be aware, that the key.pem is not protected by password, so you have to protect it by file access privileges. As the information is read before smtpd changes to chroot jail, it still has root privileges, so you should

chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem

Create a client certificate

Creating a client certificate is as easy as a site certificate. At least, if you are doing it as a CA. First you create and sign a pair of key and certificate. Be sure to add the correct common name (CN) for the client:

CA.pl -newreq
CA.pl -sign

If you want to do client certificate based relaying, you do need the fingerprint of the certificate, which can be obtained with

openssl x509 -fingerprint -in newcert.pem

Now this certificate must be imported into netscape. Therefore the data you just created must be converted to a ".p12" file in PKCS#12 format. You do need the pkcs12 utility [PKCS12], which is included in the OpenSSL package as of version 0.9.3. The necessary command is:

pkcs12 -export -in newcert.pem -inkey newreq.pem \
  -certfile /usr/local/ssl/CAcert.pem -name "Name" -out newcert.p12

Of course your filenames may vary. Please take special care to supply a good name to your certificate. First: The name will be listed every time when a client certificate is to be send by netcape. As a person may have several certificates, the name might include a hint on the CA (e.g. "Lutz Jaenicke (Lutz CA)"). If you want to have a lot of fun, you can just omit the name. Netscape will happily import the certificate, but you won't see it in the list of user certificates. And as you don't see it, you cannot select it. And as Netscape will not overwrite it, if you offer the same (corrected) certificate with a name, you want to delete it, but as you cannot select it, you cannot delete it. You got the point?