Difference between revisions of "OpenBSD SSL/TLS"
Jump to navigation
Jump to search
(Created page with "I always forget the order of the commands to create a new set ssl keys for a postfix server, so here it is. For the Google-eyed visitors: The short version is at the botto...") |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
I always forget the order of the commands to create a new set ssl keys for a postfix server, so here it is. | I always forget the order of the commands to create a new set ssl keys for a postfix server, so here it is. | ||
| − | |||
| − | |||
| − | |||
| − | |||
In the following commands, replace “mail.domain.tld” with the host name of your own server. | In the following commands, replace “mail.domain.tld” with the host name of your own server. | ||
First generate a private key for the server (supply the key with a password, and don’t forget it!): | First generate a private key for the server (supply the key with a password, and don’t forget it!): | ||
| − | + | <pre> | |
openssl genrsa -des3 -out mail.domain.tld.key 2048 | openssl genrsa -des3 -out mail.domain.tld.key 2048 | ||
| Line 19: | Line 15: | ||
Enter pass phrase for mail.domain.tld.key: <- Enter a password | Enter pass phrase for mail.domain.tld.key: <- Enter a password | ||
Verifying – Enter pass phrase for mail.domain.tld.key: <- Enter your password | Verifying – Enter pass phrase for mail.domain.tld.key: <- Enter your password | ||
| + | </pre> | ||
Then you create a certificate request: | Then you create a certificate request: | ||
| − | + | <pre> | |
openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr | openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr | ||
| Line 45: | Line 42: | ||
A challenge password []: <- Leave empty | A challenge password []: <- Leave empty | ||
An optional company name []: | An optional company name []: | ||
| + | </pre> | ||
Create a self signed key: | Create a self signed key: | ||
| − | + | <pre> | |
openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt | openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt | ||
| Line 55: | Line 53: | ||
Getting Private key | Getting Private key | ||
Enter pass phrase for mail.domain.tld.key: <- Enter your password | Enter pass phrase for mail.domain.tld.key: <- Enter your password | ||
| + | </pre> | ||
Now remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix): | Now remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix): | ||
| − | + | <pre> | |
openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass | openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass | ||
mv mail.domain.tld.key.nopass mail.domain.tld.key | mv mail.domain.tld.key.nopass mail.domain.tld.key | ||
| Line 65: | Line 64: | ||
writing RSA key | writing RSA key | ||
mail:~/ssl# mv mail.domain.tld.key.nopass mail.domain.tld.key | mail:~/ssl# mv mail.domain.tld.key.nopass mail.domain.tld.key | ||
| − | + | </pre> | |
Make ourself a trusted CA: | Make ourself a trusted CA: | ||
| − | + | <pre> | |
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 | openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 | ||
| Line 92: | Line 91: | ||
Common Name (eg, YOUR name) []:mail.domain.tld | Common Name (eg, YOUR name) []:mail.domain.tld | ||
Email Address []: | Email Address []: | ||
| + | </pre> | ||
Now we have made ourselves a new set of keys. | Now we have made ourselves a new set of keys. | ||
| Line 120: | Line 120: | ||
The short story: | The short story: | ||
| + | <pre> | ||
openssl genrsa -des3 -out mail.domain.tld.key 2048 | openssl genrsa -des3 -out mail.domain.tld.key 2048 | ||
chmod 600 mail.domain.tld.key | chmod 600 mail.domain.tld.key | ||
| Line 145: | Line 146: | ||
postconf -e 'tls_random_source = dev:/dev/urandom' | postconf -e 'tls_random_source = dev:/dev/urandom' | ||
postconf -e 'myhostname = mail.example.com' | postconf -e 'myhostname = mail.example.com' | ||
| + | |||
| + | </pre> | ||
Latest revision as of 12:33, 28 August 2019
I always forget the order of the commands to create a new set ssl keys for a postfix server, so here it is.
In the following commands, replace “mail.domain.tld” with the host name of your own server.
First generate a private key for the server (supply the key with a password, and don’t forget it!):
openssl genrsa -des3 -out mail.domain.tld.key 2048
mail:~/ssl# openssl genrsa -des3 -rand /etc/hosts -out mail.domain.tld.key 2048
266 semi-random bytes loaded
Generating RSA private key, 2048 bit long modulus
……………….+++
……+++
e is 65537 (0x10001)
Enter pass phrase for mail.domain.tld.key: <- Enter a password
Verifying – Enter pass phrase for mail.domain.tld.key: <- Enter your password
Then you create a certificate request:
openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
mail:~/ssl# openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr
Enter pass phrase for mail.domain.tld.key: <- Enter your password
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mail.domain.tld
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: <- Leave empty
An optional company name []:
Create a self signed key:
openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
mail:~/ssl# openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt
Signature ok
subject=/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=mail.domain.tld
Getting Private key
Enter pass phrase for mail.domain.tld.key: <- Enter your password
Now remove the password from the private certificate (we do this, so we don’t have to enter a password when you restart postfix):
openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
mv mail.domain.tld.key.nopass mail.domain.tld.key
mail:~/ssl# openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass
Enter pass phrase for mail.domain.tld.key: <- Enter your password
writing RSA key
mail:~/ssl# mv mail.domain.tld.key.nopass mail.domain.tld.key
Make ourself a trusted CA:
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
mail:~/ssl# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Generating a 1024 bit RSA private key
..++++++
…………………………….++++++
writing new private key to ‘cakey.pem’
Enter PEM pass phrase: <- Enter a password
Verifying – Enter PEM pass phrase: <- Enter your password
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mail.domain.tld
Email Address []:
Now we have made ourselves a new set of keys. Last thing to do is copy the files to a proper location and tell postfix to use the new keyfiles. Copy the files into a proper location:
chmod 600 mail.domain.tld.key chmod 600 cakey.pem mv mail.domain.tld.key /etc/ssl/private/ mv mail.domain.tld.crt /etc/ssl/certs/ mv cakey.pem /etc/ssl/private/ mv cacert.pem /etc/ssl/certs/
Tell Postfix where the keys are and use TLS:
postconf -e 'smtpd_use_tls = yes' postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key' postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt' postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'myhostname = mail.domain.tld'
Now restart postfix, cross your fingers and don’t blame me! :)
The short story:
openssl genrsa -des3 -out mail.domain.tld.key 2048 chmod 600 mail.domain.tld.key openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass mv mail.domain.tld.key.nopass mail.domain.tld.key openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 chmod 600 mail.domain.tld.key chmod 600 cakey.pem mv mail.domain.tld.key /etc/ssl/private/ mv mail.domain.tld.crt /etc/ssl/certs/ mv cakey.pem /etc/ssl/private/ mv cacert.pem /etc/ssl/certs/ postconf -e 'smtpd_tls_auth_only = no' postconf -e 'smtp_use_tls = yes' postconf -e 'smtpd_use_tls = yes' postconf -e 'smtp_tls_note_starttls_offer = yes' postconf -e 'smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key' postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt' postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' postconf -e 'smtpd_tls_loglevel = 1' postconf -e 'smtpd_tls_received_header = yes' postconf -e 'smtpd_tls_session_cache_timeout = 3600s' postconf -e 'tls_random_source = dev:/dev/urandom' postconf -e 'myhostname = mail.example.com'