Step 1: Create the Certificate Signing Request (CSR)

openssl req -nodes -newkey rsa:2048 -keyout mysite.com.key -out mysite.com.csr

It will ask the following questions. Answer all of them except for the last two (challenge password and optional company name). If you do set a challenge password, each program which uses the certificate will also need to have the challenge password configured into its respective settings for the certificate to work.

Generating a 2048 bit RSA private key
.............................................+++
..............................................................................+++
writing new private key to 'mysite.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<COUNTRY CODE>
State or Province Name (full name) [Some-State]:<STATE>
Locality Name (eg, city) []:<CITY>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<COMPANY NAME>
Organizational Unit Name (eg, section) []:<DEPARTMENT>
Common Name (eg, YOUR name) []:<FQDN OF TARGET HOST>
Email Address []:<YOUR E-MAIL ADDRESS>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Step 2: Generate the Certificates

Once the Certificate Signing Request (CSR) has been created, submit it through your SSL provider’s certificate creation process.

Once the provider has generated the certificate, place the certificate (.crt) and intermediate certificate (.crt) files into your certificates folder. Place the key (.key) file into your SSL key folder. Make sure that Apache, Postfix, and Dovecot have read permissions to the certificate and key files.

Step 3: Configure the Applications

For the following, assume that:

  • our certificate provider is GeoTrust
  • our certificate folder is /etc/ssl/certs/
  • key folder is /etc/ssl/private/

For Apache, open httpd.conf, change the following values and save, then restart Apache:

SSLCertificateFile /etc/ssl/certs/geotrust-mysite.com.crt
SSLCertificateKeyFile /etc/ssl/private/mysite.com.key
SSLCACertificateFile /etc/ssl/certs/geotrust-intermediate.crt

For Dovecot, open dovecot.conf, change the following values and save, then restart Dovecot:

ssl_cert_file = /etc/ssl/certs/geotrust-mysite.com.crt
ssl_key_file = /etc/ssl/private/mysite.com.key
ssl_ca_file = /etc/ssl/certs/geotrust-intermediate.crt

For Postfix, open main.cf, change the following values and save, then restart Postfix:

smtpd_tls_cert_file = /etc/ssl/certs/geotrust-mysite.com.crt
smtpd_tls_key_file = /etc/ssl/private/mysite.com.key
smtpd_tls_CAfile = /etc/ssl/certs/geotrust-intermediate.crt

← Older Newer →

Leave a Reply

You must be logged in to post a comment.