1
-----
11.6.4. Generating a New Key and Certificate
In order to generate a new key and certificate pair, you must to have the crypto-utils package installed in your system. You can install it by typing the following at a shell prompt:
~]# yum install crypto-utils
This package provides a set of tools to generate and manage SSL certificates and private keys, and includes genkey, the Red Hat Keypair Generation utility that will guide you through the key generation process.
Important: Replacing an Existing Certificate
If the server already has a valid certificate and you are replacing it with a new one, specify a different serial number. This ensures that client browsers are notified of this change, update to this new certificate as expected, and do not fail to access the page. To create a new certificate with a custom serial number, use the following command instead of genkey:
~]# openssl req -x509 -new -set_serial number -key hostname.key -out hostname.crt
Note: Remove a Previously Created Key
If there already is a key file for a particular hostname in your system, genkey will refuse to start. In this case, remove the existing file using the following command:
~]# rm /etc/pki/tls/private/hostname.key
To run the utility, use the genkey command followed by the appropriate hostname (for example,penguin.example.com):
~]# genkey hostname
To complete the key and certificate creation, take the following steps:
Review the target locations in which the key and certificate will be stored.
Figure 11.1. Running the genkey utility
Use the Tab key to select the Next button, and press Enter to proceed to the next screen.
Using the Up and down arrow keys, select the suitable key size. Note that while the large key increases the security, it also increases the response time of your server. Because of this, the recommended option is1024 bits.
Figure 11.2. Selecting the key size
Once finished, use the Tab key to select the Next button, and press Enter to initiate the random bits generation process. Depending on the selected key size, this may take some time.
Decide whether you wish to send a certificate request to a certificate authority.
Figure 11.3. Generating a certificate request
Use the Tab key to select Yes to compose a certificate request, or No to generate a self-signed certificate. Then press Enter to confirm your choice.
Using the Spacebar key, enable ([*]) or disable ([ ]) the encryption of the private key.
Figure 11.4. Encrypting the private key
Use the Tab key to select the Next button, and press Enter to proceed to the next screen.
If you have enabled the private key encryption, enter an adequate passphrase. Note that for security reasons, it is not displayed as you type, and it must be at least five characters long.
Figure 11.5. Entering a passphrase
Use the Tab key to select the Next button, and press Enter to proceed to the next screen.
Important: Do Not Forget the Passphrase
Entering the correct passphrase is required in order for the server to start. If you lose it, you will need to generate a new key and certificate.
Customize the certificate details.
Figure 11.6. Specifying certificate information
Use the Tab key to select the Next button, and press Enter to finish the key generation.
If you have previously enabled the certificate request generation, you will be prompted to send it to a certificate authority.
Figure 11.7. Instructions on how to send a certificate request
Press Enter to return to a shell prompt.
Once generated, add the key and certificate locations to the /etc/httpd/conf.d/ssl.conf configuration file:
SSLCertificateFile /etc/pki/tls/certs/hostname.crt SSLCertificateKeyFile /etc/pki/tls/private/hostname.key
Finally, restart the httpd service as described in Section 11.2.3, “Restarting the Service”, so that the updated configuration is loaded.
SSL/TLS Certificate
yum -y install crypto-utils
generate certificate and key for your domain, follow the prompts:
genkey --days 365 mail.worldcm.net
It will put the keys where we need them in:
/etc/pki/tls/certs/mail.worldcm.net.crt
/etc/pki/tls/private/mail.worldcm.net.key
Postfix and Dovecot Configuration
Edit Postfix configuration file to use SASL and TLS:
#vi /etc/postfix/main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_tls_auth_only = yes
smtpd_sasl_local_domain = mail.worldcm.net
smtpd_tls_security_level = may
#allow SASL authenticated users to send mail
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_tls_key_file = /etc/pki/tls/private/mail.worldcm.net.key
smtpd_tls_cert_file = /etc/pki/tls/certs/mail.worldcm.net.crt
smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
tls_random_source = dev:/dev/urandom
#service postfix reload
#vi /etc/dovecot/conf.d/10-ssl.conf
ssl = yes
ssl_cert = </etc/pki/tls/certs/mail.worldcm.net.crt
ssl_key = </etc/pki/tls/private/mail.worldcm.net.key
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL
#service dovecot reload
----