Certificate Authority
generate certificate and key-files using e.g. one of the follwing
trusting your Certificate Authority
Ensure there's only one CA certificate in the file from your CA. Normally there is, but ocassionally several are stored in the same file. To list the number of certificates in a file, use the command below. If you get an answer of more than one, then see the section on multiple certificates in one file. The command to check the number of certificates in a file is:
station7:/etc/ssl/certs # cat ca_cert.pem | grep -E 'BEGIN.* CERTIFICATE' | wc -l 1
Once the certificate is in PEM format and you know there's only one certificate in the file, you need to verify it. First up, find the fingerprint for the CA from a trusted source (and I can't stress this one enough). Now, calculate the fingerprint for the certificate you've downloaded, and ensure they're the same. To find the fingerprint, use:
station7:/etc/ssl/certs # openssl x509 -noout -fingerprint -in ca_cert.pem MD5 Fingerprint=C2:CA:AA:5B:99:84:A1:13:8F:D6:3D:3C:B5:22:08:38
Assuming they match (if they don't, you've either done something wrong, or its time to start panicing), we can install the certificate. As root (and now would be an ideal time to check you need to be root - only root should have write access, but the certs directory needs to be world readable). Copy your CA certificate to <ssl-base-dir>certs/ and finds out its Hash. OpenSSL looks for certificates using an 8 byte hash value. Calculate it with:
station7:/etc/ssl/certs # openssl x509 -noout -hash -in ca_cert.pem 552fe697
In order for OpenSSL to find the certificate, it needs to be looked up as its hash. Normally, you would create a symbolic link for a meaningful name of the CA to the hash value, rather than renaming the CA certificate. Ideally, create a symbolic link (or hard link if you must, but symbolic ones usually make spotting which hash is which certificate name that bit easier). The symbolic link must be for the hashed value above plus „.0“ - if you forget the .0 then OpenSSL won't detect it, and you'll get lots of errors.
station7:/etc/ssl/certs # ln -s ca_cert.pem `openssl x509 -hash -noout -in ca_cert.pem`.0 station7:/etc/ssl/certs # ll lrwxrwxrwx 1 root root 11 Jul 13 17:57 552fe697.0 -> ca_cert.pem -rw------- 1 cyrus mail 2862 Jul 12 11:58 ca_cert.pem
Testing
Test this installation. To do so, we really want a certificate that's been signed by the newly installed CA. Failing this, you can use the CA certificate, but this won't always cause all the possible errors to show up. Run:
station7:/etc/ssl/certs # openssl verify -CApath /etc/ssl/certs ca_cert.pem ca_cert.pem: OK station7::/etc/ssl/certs # openssl verify -----BEGIN CERTIFICATE----- [...snipped...] -----END CERTIFICATE----- stdin: OK
using certificates
Originally I thought, I could use the same certificate- and key-file for the Transport Layer Security (TLS) with OpenLDAP, Cyrus imapd and Postfix smtpd. But I failed
The certs and keys in /etc/ssl/ are owned by root and this caused slapd to fail, since in /etc/sysconfig/openldap it is set to be owned by user „ldap“ and group „ldap“:
## Type: string ## Default: ldap ## ServiceRestart: ldap # # specifies a user, as which the openldap server should be executed # Default: ldap # OPENLDAP_USER="ldap" ## Type: string ## Default: ldap ## ServiceRestart: ldap # # specifies a group, as which the openldap server should be executed # Default: ldap # OPENLDAP_GROUP="ldap"
With Cyrus, Postfix and Apache2 I got similar issues … Because for OpenLDAP the stuff needs to be owned by „ldap.ldap“, for Cyrus by „cyrus.mail“, for Postfix by „postfix.postfix“ and for Apache by „wwwrun.www“.
So I created a new user-group „SSL-users“ and put into this group the following users:
- apache2
- cyrus
- ldap
- postfix
afterwards do a:
chgrp -R SSL-users /etc/ssl/
chmod 775 /etc/ssl/certs/
chmod 664 /etc/ssl/certs/*
chmod 770 /etc/ssl/private/
chmod 660 /etc/ssl/private/*
← index