Using OpenSSL it is quite simple to become your own CA. Just run
CA.pl -newcaand you are done. Just make sure, that you select a useful CN (Common Name)! By just using your name, you might create a lot of confusion, as the CA certificate for "Lutz Jaenicke" looks quite the same as the personal client certificate for "Lutz Jaenicke" (I can tell you). Of course you can further improve this private CA by editing the
openssl.cnf
file, especially the comment.
If you want the full comfort of being your own CA, you must import
your CA certificate to Netscape. Unfortunately Netscape does not offer
an explicit function to perform this task (unlike for client certificates).
If you have an http-server available (and I think you do), you can
add the loadCAcert.pl script to your
cgi-bin
directory. If you call it from Netscape (or Internet
Explorer), you can load the certificate!
(Taken from [6])
You want your postfix system to start up boot time without trouble? Then
your server private key must not be encrypted. So when you create the
key you must add the -nodes
option in CA.pl
to the
line with the -newcert
and/or -newreq
command:
*** CA.pl Wed Mar 24 10:30:38 1999 --- CA1.pl Sat Mar 27 19:36:47 1999 *************** *** 56,67 **** exit 0; } elsif (/^-newcert$/) { # create a certificate ! system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS"); $RET=$?; print "Certificate (and private key) is in newreq.pem\n" } elsif (/^-newreq$/) { # create a certificate request ! system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS"); $RET=$?; print "Request (and private key) is in newreq.pem\n"; } elsif (/^-newca$/) { --- 56,67 ---- exit 0; } elsif (/^-newcert$/) { # create a certificate ! system ("$REQ -new -x509 -nodes -keyout newreq.pem -out newreq.pem $DAYS"); $RET=$?; print "Certificate (and private key) is in newreq.pem\n" } elsif (/^-newreq$/) { # create a certificate request ! system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS"); $RET=$?; print "Request (and private key) is in newreq.pem\n"; } elsif (/^-newca$/) {For sslwrap or stunnel the authors propose to use self signed certs created with
-newcert
. I rather propose to create an ordinary
certificate request with
CA.pl -newreqand then sign it with your CA:
CA.pl -signNow you can install the cert from
cacert.pem
to
/etc/postfix/CAcert.pem
, the created certificate from
newcert.pem
to /etc/postfix/cert.pem
and the key part form newreq.pem
to
/etc/postfix/key.pem
. Please be aware, that the
key.pem
is not protected by password, so you have to protect
it by file access privileges. As the information is read before smtpd changes
to chroot jail, it still has root privileges, so you should
chown root /etc/postfix/key.pem ; chmod 400 /etc/postfix/key.pem
CA.pl -newreq CA.pl -signIf you want to do client certificate based relaying, you do need the fingerprint of the certificate, which can be obtained with
openssl x509 -fingerprint -in newcert.pemNow this certificate must be imported into netscape. Therefore the data you just created must be converted to a ".p12" file in PKCS#12 format. You do need the
pkcs12
utility
[PKCS12], which is included
in the OpenSSL package as of version 0.9.3.
The necessary command is:
pkcs12 -export -in newcert.pem -inkey newreq.pem \ -certfile /usr/local/ssl/CAcert.pem -name "Name" -out newcert.p12Of course your filenames may vary. Please take special care to supply a good name to your certificate. First: The name will be listed every time when a client certificate is to be send by netcape. As a person may have several certificates, the name might include a hint on the CA (e.g. "Lutz Jaenicke (Lutz CA)"). If you want to have a lot of fun, you can just omit the name. Netscape will happily import the certificate, but you won't see it in the list of user certificates. And as you don't see it, you cannot select it. And as Netscape will not overwrite it, if you offer the same (corrected) certificate with a name, you want to delete it, but as you cannot select it, you cannot delete it. You got the point?