by Wim Kerkhoff
Trying to get a server certificate that has been self signed using your own Root CA to be nicely accepted by clients can be tricky. I've got it going on nyetwork.org though, so that HTTP, POP3, IMAP, and SMTP are protected using SSL and my self signed server certificate. ssl_root_ca_old|HTTP is protected using mod_ssl, but everything else is done using stunnel. S/MIME (encryption, description, signing, verification) is working perfectly using my own Root CA. Here are the instructions for Outlook Express; they should be detailed enough to help with out applications that require them as well. Importing the certificate in OE will be enough for IE to be happy as well.
Download this handy toolkit and install it:
cd /tmp wget http://nyetwork.org/wim/downloads/ssl.ca-0.1.tar.gz tar xvfz ssl.ca-0.1.tar.gz mv ssl.ca-0.1 /usr/local/ssl.ca cd /usr/local/ssl.ca
To create the Root CA:
Answer all the questions for the Root CA (Certificate Authority). Defaults are make a lot of sense though.
And that's it! These shell scripts have easy names. I found this method to be a LOT easier then what the OpenSSL documentation recommends.
Answer all the questions for the Server Certificate. Defaults should help explain what each option is. Then sign the certificate request (CRL) using your Root CA:
Enter the passphrase you set up for the Root CA...
Creation of a unified PEM version of the server's certificate and private key is necessary for many applications. It is as simple as concatenating the two together:
cd /usr/local/ssl.ca cat domain.com.crt domain.com.key > domain.com.pem
This will allow clients to easily import it into their their PKI storage places, such as Outlook Express and Netscape.
cd /usr/local/ssl.ca openssl crl2pkcs7 -nocrl -certfile ca.crt -outform DER -out ca.pkcs7
ca.pkcs7 will only contain the public portion of the CA's certificate, so you can email it to whomever with instructions on how to import it, put it up for download, or whatever.
Stunnel is the tool that takes care of creating SSL tunnels for a variety of scenarios.
apt-get install stunnel
I create an /etc/rc.boot/stunnel script, which creates all the required tunnels:
#!/bin/sh # connect localhost:imaps to localhost:imap to secure Cyrus IMAP server /usr/sbin/stunnel -d imaps -r localhost:imap -p /etc/stunnel/server.pem # connect localhost:pop3s to localhost: /usr/sbin/stunnel -d pop3s -r localhost:pop3 -p /etc/stunnel/server.pem # connect localhost:ssmtp (SMTP over SSL) to localhost /usr/sbin/stunnel -d ssmtp -r localhost:smtp -p /etc/stunnel/server.pem
Check that stunnel is running. You should see 3 parent stunnel process, with varying number of forked off children. This means that now the plain text ports IMAP (143), POP3 (110), and SMTP (25) are have SSL versions now. Check /etc/services for their actual port numbers if in doubt.
Go to Options -> Security -> Digital IDs. Click Import, and select your ca.pkcs7 file. It should say something to the effect that it imported successfully. Also in OE, for each account that is pointed at this server, ensure that that "Incoming Mail" option is exactly the name of the server that is in your server certificate. For example, ufies.org or nyetwork.org, not mail.ufies.org. If you are wanting to do secure SMTP, the same goes for that.
User certificates are handy for digitally signing and/or encrypting emails, authenticating users connecting via SSL to your website, etc. The same SSL toolkit can help you with this.
cd /usr/local/ssl.ca ./new-user-cert.sh email@example.com
Answer all the questions, then sign this request:
Combine the user certificate and private key into a unified PEM format file:
cat user\@domain.com.crt user\@domain.com.key > user\@domain.com.pem
Convert this new PEM file into PKCS#12 format, so the OE can import it nicely:
openssl crl2pkcs7 \ -nocrl -certfile user\@domain.com.crt \ -outform DER -out user.domain.public.pkcs7
Then Import this into Outlook Express / Netscape Mail like we did for the Root CA above, and you should now be able to Sign and/or Encrypt your emails!
user.domain.public.pkcs7 will actually be seldom used. Other people can obtain your public certificate if you simply send them a signed (not encrypted) message.
Netscape Communicator 4.x (under Linux anyways) has some really clunky PKI tools. Go to Communicator -> Tools -> Security Info -> Signers, and select your Root CA. Click Edit, and scroll down to the Approval checkboxes.
Locate and configure these options in httpd.conf:
SSLCertificateFile /path/to/server.crt SSLCertificateKeyFile /path/to/server.key
Depending on your system, your server may not be suggesting the correct MIME type to browsers. If the MIME types are correct, you can put up a link to your Root CA (ca.pks7) on your site, so that people can click the link to import it into their trusted list of Certificate Authorities. If this is not happening, edit /etc/mime.types, and add a line like this, then restart Apache:
mv server.key server.key.secure openssl rsa -in server.key.secure -out server.key chown 400 server.key server.key.secure
Sites that link to here