Generating Server Certificates

You can use the openssl command to generate the public and private keys for your server. From the public key, you create a certificate signing request (CSR) to send to a CA for validation. Once signed, your public certificate can be widely distributed, but your private keys must be carefully guarded. In fact, many applications store encrypted private keys and require a pass phrase to access them. You cannot use encrypted keys with Postfix, however, because different components need read access to the keys as they are started by the master daemon.

The OpenSSL distribution includes scripts to help you generate keys and certificate- signing requests, but the scripts encrypt the keys by default. Since you want to leave the keys unencrypted, it’s just as easy to use the openssl command directly. Execute the following command to create a public and private key to be used with Postfix:

$ openssl req -new -nodes -keyout mailkey.pem \
-out mailreq.pem -days 365

The openssl command with the -new option creates both a private key and a CSR. The -nodes option tells openssl not to encrypt the key. -keyout and -out indicate the names of the files where the private key and the CSR should be created. Finally, -days 365 says to make the certificate valid for one year.

If you are using a third-party CA, follow its directions for getting your certificate request signed. You will be sending in the mailreq.pem file created above. If you are acting as your own CA, you can sign the file yourself with the following command:

# openssl ca -out mail_signed_cert.pem -infiles mailreq.pem

This produces the file mail_signed_cert.pem, which will serve as your signed certificate. You probably want to copy all of your Postfix/TLS-related certificate files to a conve- nient location. If you used all of the defaults, execute the following commands to move the certificate files into the Postfix configuration directory:

# cp /usr/local/ssl/mailkey.pem /etc/postfix
# cp /usr/local/ssl/mail_signed_cert.pem /etc/postfix

These files represent your server private key and public certificate. Because you cre- ated the private key without encrypting it, you must protect it by using permissions that are as restrictive as possible. Use the following commands to make sure it is owned and readable only by the root account.

# chown root /etc/postfix/mailkey.pem
# chmod 400 /etc/postfix/mailkey.pem

results matching ""

    No results matching ""