1

-----

11.6.4. Generating a New Key and Certificate

In order to generate a new key and certificate pair, you must to have the crypto-utils package installed in your system. You can install it by typing the following at a shell prompt:

~]# yum install crypto-utils

This package provides a set of tools to generate and manage SSL certificates and private keys, and includes genkey, the Red Hat Keypair Generation utility that will guide you through the key generation process.

Important: Replacing an Existing Certificate

If the server already has a valid certificate and you are replacing it with a new one, specify a different serial number. This ensures that client browsers are notified of this change, update to this new certificate as expected, and do not fail to access the page. To create a new certificate with a custom serial number, use the following command instead of genkey:

~]# openssl req -x509 -new -set_serial number -key hostname.key -out hostname.crt

Note: Remove a Previously Created Key

If there already is a key file for a particular hostname in your system, genkey will refuse to start. In this case, remove the existing file using the following command:

~]# rm /etc/pki/tls/private/hostname.key

To run the utility, use the genkey command followed by the appropriate hostname (for example,penguin.example.com):

~]# genkey hostname

To complete the key and certificate creation, take the following steps:

• 1. Review the target locations in which the key and certificate will be stored.

• • • 1. Figure 11.1. Running the genkey utility

• • 1. Use the Tab key to select the Next button, and press Enter to proceed to the next screen.

• 1. Using the Up and down arrow keys, select the suitable key size. Note that while the large key increases the security, it also increases the response time of your server. Because of this, the recommended option is1024 bits.

• • • 1. Figure 11.2. Selecting the key size

• • 1. Once finished, use the Tab key to select the Next button, and press Enter to initiate the random bits generation process. Depending on the selected key size, this may take some time.

• 1. Decide whether you wish to send a certificate request to a certificate authority.

• • • 1. Figure 11.3. Generating a certificate request

• • 1. Use the Tab key to select Yes to compose a certificate request, or No to generate a self-signed certificate. Then press Enter to confirm your choice.

• 1. Using the Spacebar key, enable ([*]) or disable ([ ]) the encryption of the private key.

• • • 1. Figure 11.4. Encrypting the private key

• • 1. Use the Tab key to select the Next button, and press Enter to proceed to the next screen.

• 1. If you have enabled the private key encryption, enter an adequate passphrase. Note that for security reasons, it is not displayed as you type, and it must be at least five characters long.

• • • 1. Figure 11.5. Entering a passphrase

• • 1. Use the Tab key to select the Next button, and press Enter to proceed to the next screen.

       1. Important: Do Not Forget the Passphrase

          1. Entering the correct passphrase is required in order for the server to start. If you lose it, you will need to generate a new key and certificate.

• 1. Customize the certificate details.

• • • 1. Figure 11.6. Specifying certificate information

• • 1. Use the Tab key to select the Next button, and press Enter to finish the key generation.

• 1. If you have previously enabled the certificate request generation, you will be prompted to send it to a certificate authority.

• • • 1. Figure 11.7. Instructions on how to send a certificate request

• • 1. Press Enter to return to a shell prompt.

Once generated, add the key and certificate locations to the /etc/httpd/conf.d/ssl.conf configuration file:

SSLCertificateFile /etc/pki/tls/certs/hostname.crt SSLCertificateKeyFile /etc/pki/tls/private/hostname.key

Finally, restart the httpd service as described in Section 11.2.3, “Restarting the Service”, so that the updated configuration is loaded.

SSL/TLS Certificate

yum -y install crypto-utils

generate certificate and key for your domain, follow the prompts:

genkey --days 365 mail.worldcm.net

It will put the keys where we need them in:

/etc/pki/tls/certs/mail.worldcm.net.crt

/etc/pki/tls/private/mail.worldcm.net.key

Postfix and Dovecot Configuration

Edit Postfix configuration file to use SASL and TLS:

#vi /etc/postfix/main.cf

smtpd_sasl_type = dovecot

smtpd_sasl_path = private/auth

smtpd_sasl_auth_enable = yes

smtpd_sasl_security_options = noanonymous

smtpd_sasl_tls_security_options = $smtpd_sasl_security_options

smtpd_tls_auth_only = yes

smtpd_sasl_local_domain = mail.worldcm.net

smtpd_tls_security_level = may

#allow SASL authenticated users to send mail

smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination

smtpd_tls_key_file = /etc/pki/tls/private/mail.worldcm.net.key

smtpd_tls_cert_file = /etc/pki/tls/certs/mail.worldcm.net.crt

smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache

tls_random_source = dev:/dev/urandom

#service postfix reload

#vi /etc/dovecot/conf.d/10-ssl.conf

ssl = yes

ssl_cert = </etc/pki/tls/certs/mail.worldcm.net.crt

ssl_key = </etc/pki/tls/private/mail.worldcm.net.key

ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL

#service dovecot reload

----