Step 1: Create the Certificate Signing Request (CSR)
openssl req -nodes -newkey rsa:2048 -keyout mysite.com.key -out mysite.com.csr
It will ask the following questions. Answer all of them except for the last two (challenge password and optional company name). If you do set a challenge password, each program which uses the certificate will also need to have the challenge password configured into its respective settings for the certificate to work.
Generating a 2048 bit RSA private key .............................................+++ ..............................................................................+++ writing new private key to 'mysite.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:<COUNTRY CODE> State or Province Name (full name) [Some-State]:<STATE> Locality Name (eg, city) []:<CITY> Organization Name (eg, company) [Internet Widgits Pty Ltd]:<COMPANY NAME> Organizational Unit Name (eg, section) []:<DEPARTMENT> Common Name (eg, YOUR name) []:<FQDN OF TARGET HOST> Email Address []:<YOUR E-MAIL ADDRESS> Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Step 2: Generate the Certificates
Once the Certificate Signing Request (CSR) has been created, submit it through your SSL provider’s certificate creation process.
Once the provider has generated the certificate, place the certificate (.crt) and intermediate certificate (.crt) files into your certificates folder. Place the key (.key) file into your SSL key folder. Make sure that Apache, Postfix, and Dovecot have read permissions to the certificate and key files.
Step 3: Configure the Applications
For the following, assume that:
- our certificate provider is GeoTrust
- our certificate folder is /etc/ssl/certs/
- key folder is /etc/ssl/private/
For Apache, open httpd.conf, change the following values and save, then restart Apache:
SSLCertificateFile /etc/ssl/certs/geotrust-mysite.com.crt SSLCertificateKeyFile /etc/ssl/private/mysite.com.key SSLCACertificateFile /etc/ssl/certs/geotrust-intermediate.crt
For Dovecot, open dovecot.conf, change the following values and save, then restart Dovecot:
ssl_cert_file = /etc/ssl/certs/geotrust-mysite.com.crt ssl_key_file = /etc/ssl/private/mysite.com.key ssl_ca_file = /etc/ssl/certs/geotrust-intermediate.crt
For Postfix, open main.cf, change the following values and save, then restart Postfix:
smtpd_tls_cert_file = /etc/ssl/certs/geotrust-mysite.com.crt smtpd_tls_key_file = /etc/ssl/private/mysite.com.key smtpd_tls_CAfile = /etc/ssl/certs/geotrust-intermediate.crt