Linux/OpenSSL

Aus VivaLV
Zur Navigation springen Zur Suche springen

Self-signed Zertifikat

Quelle

http://christopher.wojno.com/articles/2008/11/04/going-ssl-with-your-own-root-ca und http://christopher.wojno.com/articles/2008/11/08/creating-your-own-apache-ssl-certificate-signed-by-your-root-ca

Vorbereitung

mkdir /root/ca
chmod 700 /root/ca
cd /root/ca
mkdir certs
chmod 700 certs
mkdir private
chmod 700 private

Root/CA-Zertifikat erstellen

cd /root/ca
openssl genrsa -out private/cakey.pem -des3 2048
openssl req -new -x509 -key private/cakey.pem -out certs/cacert.crt -days 3600

Im Common Name (CN) Feld keine Domäne eingeben, sondern z.B. <MeinName> CA Root.

echo "01" > serial.srl
chmod 0660 serial.srl

Server-Zertifikat erstellen (z.B. für Apache, Postfix, IMAP)

cd /root/ca
openssl genrsa -out www.pem 2048
openssl req -new -sha1 -out www.csr -key www.pem

Im Common Name (CN) Feld die Domäne eingeben.

openssl x509 -req -days 3659 -in www.csr -CA certs/cacert.crt -CAkey private/cakey.pem -CAserial serial.srl -out www.crt

Server-Zertifikat in Apache einbinden

cd /root/ca
cp certs/cacert.crt /etc/apache2/ssl/
chmod 600 /etc/apache2/ssl/cacert.crt
cp www.crt /etc/apache2/ssl/
chmod 600 /etc/apache2/ssl/www.crt
cp www.pem /etc/apache2/ssl/
chmod 600 /etc/apache2/ssl/www.pem

/etc/apache2/vhosts.d/00_default_ssl_vhost.conf:

SSLCertificateFile /etc/apache2/ssl/www.crt
SSLCertificateKeyFile /etc/apache2/ssl/www.pem
SSLCertificateChainFile /etc/apache2/ssl/cacert.crt

Server-Zertifikat in Postfix einbinden

cd /root/ca
cp certs/cacert.crt /etc/postfix/
chmod 600 /etc/postfix/cacert.crt
cp www.crt /etc/postfix/
chmod 600 /etc/postfix/www.crt
cp www.pem /etc/postfix/
chmod 600 /etc/postfix/www.pem

/etc/postfix/main.cf:

smtpd_tls_key_file = /etc/postfix/www.pem
smtpd_tls_cert_file = /etc/postfix/www.crt
smtpd_tls_CAfile = /etc/postfix/cacert.crt

Server-Zertifikat in uw-imap einbinden

cd /root/ca
cat www.pem >/etc/ssl/certs/imapd.pem
cat www.crt >>/etc/ssl/certs/imapd.pem
chmod 600 /etc/ssl/certs/imapd.pem