OpenBSD SSL/TLS

From WTFwiki
Jump to navigation Jump to search

I always forget the order of the commands to create a new set ssl keys for a postfix server, so here it is.

In the following commands, replace “mail.domain.tld” with the host name of your own server.

First generate a private key for the server (supply the key with a password, and don’t forget it!):

openssl genrsa -des3 -out mail.domain.tld.key 2048

    mail:~/ssl# openssl genrsa -des3 -rand /etc/hosts -out mail.domain.tld.key 2048
    266 semi-random bytes loaded
    Generating RSA private key, 2048 bit long modulus
    ……………….+++
    ……+++
    e is 65537 (0x10001)
    Enter pass phrase for mail.domain.tld.key: <- Enter a password
    Verifying – Enter pass phrase for mail.domain.tld.key: <- Enter your password

Then you create a certificate request:

openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr

    mail:~/ssl# openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
    Enter pass phrase for mail.domain.tld.key: <- Enter your password
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:mail.domain.tld
    Email Address []:

    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []: <- Leave empty
    An optional company name []:

Create a self signed key:

openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt

    mail:~/ssl# openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
    Signature ok
    subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mail.domain.tld
    Getting Private key
    Enter pass phrase for mail.domain.tld.key: <- Enter your password

Now remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):

openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
mv mail.domain.tld.key.nopass mail.domain.tld.key

    mail:~/ssl# openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
    Enter pass phrase for mail.domain.tld.key: <- Enter your password
    writing RSA key
    mail:~/ssl# mv mail.domain.tld.key.nopass mail.domain.tld.key

Make ourself a trusted CA:

openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

    mail:~/ssl# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
    Generating a 1024 bit RSA private key
    ..++++++
    …………………………….++++++
    writing new private key to ‘cakey.pem’
    Enter PEM pass phrase: <- Enter a password
    Verifying – Enter PEM pass phrase: <- Enter your password
    —–
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [AU]:
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:mail.domain.tld
    Email Address []:

Now we have made ourselves a new set of keys. Last thing to do is copy the files to a proper location and tell postfix to use the new keyfiles. Copy the files into a proper location:

chmod 600 mail.domain.tld.key chmod 600 cakey.pem mv mail.domain.tld.key /etc/ssl/private/ mv mail.domain.tld.crt /etc/ssl/certs/ mv cakey.pem /etc/ssl/private/ mv cacert.pem /etc/ssl/certs/

Tell Postfix where the keys are and use TLS:

postconf -e 'smtpd_use_tls = yes' postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key' postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt' postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'myhostname = mail.domain.tld'

Now restart postfix, cross your fingers and don’t blame me! :)


The short story:

openssl genrsa -des3 -out mail.domain.tld.key 2048
chmod 600 mail.domain.tld.key
openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
mv mail.domain.tld.key.nopass mail.domain.tld.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 mail.domain.tld.key
chmod 600 cakey.pem
mv mail.domain.tld.key /etc/ssl/private/
mv mail.domain.tld.crt /etc/ssl/certs/
mv cakey.pem /etc/ssl/private/
mv cacert.pem /etc/ssl/certs/
postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key'
postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt'
postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'
postconf -e 'myhostname = mail.example.com'