Re: [exim] SSL Certificates and EXIM

Top Page
Delete this message
Reply to this message
Author: Giuliano Gavazzi
Date:  
To: Brent Clark, Exim-Users (E-mail)
CC: 
Subject: Re: [exim] SSL Certificates and EXIM
This is what I sent about a year ago to someone else. I am not
totally sure the attached scripts are the same, let me know if it all
works (a note for myself: these are the scripts in the Projects
Security folder).
Note that if you can make your CA trusted (this depends on your OS)
on the client machine, most clients should be happy.
Note, certain groups (wheel, admin) might just be a MacOSX feature,
use the appropriate ones for your OS.

Giuliano

>
>ok. the most difficult part is creating the CA. I did it long time
>ago following these instructions. Do all this in a directory you
>will use for your signing. Protect this directory as it contains
>sensitive data.
>
>The directory structure is:
>
>drwx------  20 root  admin   680 Dec  8  2002 ca.db.certs
>drwxr-x---   2 root  admin    68 Dec  8  2002 crl
>drwx------   4 root  admin   136 Dec  8  2002 private

>
>How can I create and use my own Certificate Authority (CA)? [L]
>
>The short answer is to use the CA.sh script provided by OpenSSL. The
>long and manual answer is this:
>
>1.    Create a RSA private key for your CA (will be Triple-DES 
>encrypted and PEM formatted):

>
>$ openssl genrsa -des3 -out ca.key 1024
>
>Please backup this ca.key file and remember the pass-phrase you
>currently entered at a secure location. You can see the details of
>this RSA private key via the command
>
>$ openssl rsa -noout -text -in ca.key
>
>And you can create a decrypted PEM version (not recommended) of this
>private key via:
>
>$ openssl rsa -in ca.key -out ca.key.unsecure
>
>2.    Create a self-signed CA Certificate (X509 structure) for the 
>RSA key of the CA (output will be PEM formatted):

>
>$ openssl req -new -x509 -days 365 -key ca.key -out ca.crt
>
>You can see the details of this Certificate via the command:
>
>$ openssl x509 -noout -text -in ca.crt
>
>3.    Prepare a script for signing which is needed because the 
>``openssl ca'' command has some strange requirements and the default 
>OpenSSL config doesn't allow one easily to use ``openssl ca'' 
>directly. So a script named sign.sh is distributed with the mod_ssl 
>distribution (subdir pkg.contrib/). Use this script for signing.

>
>4.    Now you can use this CA to sign CSR's in order to create real 
>SSL Certificates for use inside an Apache webserver:

>
>$ ./sign.sh server.csr
>
>This signs the CSR and results in a server.crt file.


^^^ this signing is done as explained below.

>
>
>Ignore the signing here as I now list the instructions I use, also I
>have attached the sign.sh script that must be in the directory you
>use for signing (and have more rx for root).
>
>Here is how I generate the certificate for the mailserver (that I
>put in /etc/mail/certs/cert.pem indeed I have
>tls_certificate = /etc/mail/certs/cert.pem
>in my exim conf.):
>
>REMEMBER THAT THE CN (common name) OF THE CERTIFICATE MUST BE THE
>SAME AS YOU SERVER FULLY QUALIFIED HOST NAME
>
>openssl genrsa -des3 -out smtp.server.hostname.key 1024
>
>openssl req -new -days 729 -key smtp.server.hostname.key -out
>smtp.server.hostname.csr
>
>./sign.sh smtp.server.hostname.csr
>
>cp smtp.server.hostname.key smtp.server.hostname.key.org
>
>openssl rsa -in smtp.server.hostname.key.org -out smtp.server.hostname.key
>
>chmod 400 smtp.server.hostname.key
>
>cat smtp.server.hostname.key smtp.server.hostname.crt >
>/etc/mail/certs/cert.pem
>
>chmod 400 /etc/mail/certs/cert.pem
>
>chown smmsp:wheel /etc/mail/certs/cert.pem
>
>THESE STEPS ARE HERE JUST FOR REFERENCE.
>Finally, to create PKCS#12 certificates/key pairs one can
>concatenate crt and key and then apply:
>
>openssl pkcs12 -export -in foo.crt -out foo.pk12
>
>
>And from PEM to DER:
>
>openssl x509 -in cert.pem -out cert.der -outform DER
>
>
>I hope all the above will work for you.
>
>Giuliano
>--
>H U M P H
>    || |||
>  software

>
>Java & C++ Server/Client/Human Interface applications on MacOS - MacOS X
>http://www.humph.com/