Updating CAcert.org X.509 certificates for CentOS
My SSL/TLS certificate has expired so I need to request a new one and I'm summing here all the process.
As my current configuration is more or less a mess, I'm starting from the very begining but I assume you are registered at CAcert.org and you are able to request server certificates for your verified domains. I'll use my tormento.olea.org
server as the hostname example.
Private Key and Certificate Signing Request Generator
This script was designed to suit the request format needed by
the CAcert Certificate Authority. www.CAcert.org
Short Hostname (ie. imap big_srv www2): tormento
FQDN/CommonName (ie. www.example.com) : tormento.olea.org
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:olea.org
SubjectAltName: DNS:www.olea.org
SubjectAltName: DNS:olea.es
SubjectAltName: DNS:www.olea.es
SubjectAltName: DNS:ismael.olea.org
SubjectAltName: DNS:
Running OpenSSL...
Generating a 2048 bit RSA private key
.............+++
................................................................................................+++
writing new private key to '/root/tormento_privatekey.pem'
-----
Copy the following Certificate Request and paste into CAcert website to obtain a Certificate.
When you receive your certificate, you 'should' name it something like tormento_server.pem
-----BEGIN CERTIFICATE REQUEST-----
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblahblahblahblahblahblah
blahblahblahblahblahblahblahblahblahblahblah
-----END CERTIFICATE REQUEST-----
The Certificate request is also available in /root/tormento_csr.pem
The Private Key is stored in /root/tormento_privatekey.pem
Note: I found the genkey
tool (from the crypto-utils
package) takes a lot of more time to generate a same key lenght. Probably due to some kind design goal. I think you could use genkey
to generate the key and the csr
script for the multi-dns CSR request.
Then I move files to correct systems places:
mv /root/tormento_privatekey.pem /etc/pki/tls/private/tormento.olea.org.key.pem
Then I ask for a certification at CAcert website. CAcert recomends to select a Class 3 root certificate.
Cut and paste the certificate from the browser into the system:
You can check the certificate is correct using openssl. And you'll receive an email from CAcert reporting about the new certificate.
Then you can configure your applications to use the new crypto key and certificate.
applications:
These are the applications I've configured for my needs. You have other configuration examples at CAcert website.
postfix
smtpd_tls_key_file = /etc/pki/tls/private/tormento.olea.org.key.pem
smtpd_tls_cert_file = /etc/pki/tls/certs/tormento.olea.org.crt.pem
smtpd_tls_CAfile = /etc/pki/tls/certs/CAcert_chain.pem
smtp_use_tls = yes
smtp_tls_key_file = /etc/pki/tls/private/tormento.olea.org.key.pem
smtp_tls_cert_file = /etc/pki/tls/certs/tormento.olea.org.crt.pem
smtp_tls_CAfile = /etc/pki/tls/certs/CAcert_chain.pem
ejabberd
Create a key + certificate file:# cat /etc/pki/tls/certs/tormento.olea.org.crt.pem >> /etc/pki/ejabberd/certs/ejabberd.pem
# chown -R ejabberd.ejabberd /etc/pki/ejabberd/
# chmod a-rw,u+r -R /etc/pki/ejabberd/
dovecot
# cp /etc/pki/tls/certs/tormento.olea.org.crt.pem /etc/pki/dovecot/certs/dovecot.pem
apache
Common things you would need to do with your certificates and keys:
Export public key:
Print human readable key data:
Print human readable certificate contents:
Other info of interest
I've not studied it yet but probably it's worth to read the Fedora developments on managing system crypto keys and signatures:
PD: Added info for dovecot.