To set up a server service on the Internet that offers encrypted SSL or TLS connections (e.g., HTTPS, POP3S, IMAPS, LDAPS, SMTP with TLS) requires a server certificate. This must first be signed by a Certification Authority (CA).
It is not free to have official server certificate, which is signed by an official body. Here annual fees of several hundred euros are due.
On the other hand, you can set up your own CA under Linux and create or sign certificates yourself. This is a process of a few minutes, which should be presented here.
The only difference to a certificate signed by a fee-based entity is that the client (email agent, browser, etc.) will issue a warning that it does not know the CA. The user must then confirm once and can still accept the certificate.
We definitely need the package openssl for the certificate creation, that can be installed with
aptitude -y install openssl
mkdir /etc/ssl-cacert/
mkdir /etc/ssl-cacert/apache/
mkdir /etc/ssl-cacert/lighttpd/
mkdir /etc/ssl-cacert/mail/
mkdir /etc/ssl-cacert/proftpd/
mkdir /etc/ssl-cacert/ldap/
If you have multiple certificates to create, it makes sense to put the data that always stays the same in a file and then call it with the -config path option.
vi /etc/ssl/openssl.cnf
RANDFILE = $ENV::HOME/.rnd
ANYTHING
[ req ]
default_bits = 2048
default_keyfile = keyfile.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
prompt = no
output_password =
[ req_distinguished_name ]
C = DE
ST = STATE
L = CITY
O =
OU =
ANYTHING
CN = DOMAIN.TLD <-
Very important
emailAddress = webmaster@DOMAIN.TLD
no input
[ req_attributes ]
challengePassword =
First, a "private key" is generated. The SSL certificate is valid only with this exact key. If the private key is lost, then the certificate becomes unusable because it requires this private key for decryption. Also, the private key can not be generated from the certificate or otherwise restored. Ergo you should put the private key in a secure place as a backup.
The private key can also be additionally protected with a password, but this means that you can not start the web server without entering this password in SSL mode.
The key length should be 2048 or 4096 bits.
# openssl genrsa -out /etc/ssl/certs/apache_server.key 4096
Here as an alternative, if you prefer an encrypted private key and the overhead of the Apache server:
# openssl genrsa -des3 -out /etc/ssl/certs/apache_server.key 4096
The CSR contains the company information, domain name, e-mail address, etc. This file is sent to the certification authority to obtain the certificate (CRT). Alternatively, one can also generate a self-signed CRT from the CSR.
Important is the specification of the encryption - here SHA256 must be used. The default of SHA1 has become too uncertain.
The desired domain name is specified in the field "Common Name (eg, server FQDN)". Otherwise, the SSL certificate no longer works in the Apache server because the server can not arrange the certificate to the URL.
State and city details are usually required to create an official certificate. Fields that are not needed can be entered by entering a "." or skipped by RETURN. In addition, the duration of the certificate can be set with.
# openssl req -new -days 365 -key server.key -out server.csr -sha256
Console Edition:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Baden-Wuerttemberg
Locality Name (eg, city) []:Stuttgart
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT-LINUXMAKER ANDREAS GUENTHER
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.it-linuxmaker.com
Email Address []:info@it-linuxmaker.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
The following command can be used to check whether the information in the CSR is all correct.
# openssl req -noout -text -in linuxmaker.com.csr
Console Edition:
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=DE, ST=Baden-Wuerttemberg, L=Stuttgart, O=IT-LINUXMAKER Andreas Guenther, CN=www.linuxmaker.com/emailAddress=info@it-linuxmaker.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:dc:7b:36:0b:82:9d:89:d8:7a:4c:23:f8:4f:fc:
1d:ae:e1:0f:50:11:40:46:96:60:de:82:9b:f2:4a:
dc:db:f3:e9:ee:5d:f1:6d:4c:89:6f:bc:b0:04:8b:
22:4c:1f:32:2b:89:63:5c:2a:92:e8:0e:d7:fa:ca:
......
#
For websites or HTML platforms that focus on encryption rather than public presence, it is sufficient to sign the certificate yourself with the following command. Here a certificate for 1 year is generated.
# openssl x509 -req -days 365 -in linuxmaker.com.csr -signkey server.key -out linuxmaker.com.crt
Signature ok
subject=/C=DE/ST=Baden-Wuerttemberg/L=Stuttgart/O=IT-LINUXMAKER Andreas Guenther/CN=www.linuxmaker.com/emailAddress=info@it-linuxmaker.com
Getting Private key
#
This is rather annoying for public websites because the web browsers do not know the signature. Therefore, they display the warning such as "This connection is not trusted", "There is a problem with the security certificate of the website" or "Security Note: The security certificate was issued by a company ...". This can be avoided with Let's Encrypt.