In this and a few later articles I am going to decribe how to install TLS/SSL certificate on lighttpd, vsftpd, Postfix, Dovecot, eJabberd and may be Apache. I also wanted to do this using the free SSL provider, StartSSL. However, if you are going to use certificate for testing & development purposes, you may want to read article about "self-signed" ssl certificates creation.
$ aptitude install ssl-cert ca-certificates
Once your have registered you need to add your domain and the verify the domain addition from the email that gets sent out.
$ openssl req -new -newkey rsa:2048 -nodes -keyout www_privatekey.pem -out www_csr.pem
Generating a 2048 bit RSA private key ..................................++++++ ....................++++++ writing new private key to 'www_privatekey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:UA State or Province Name (full name) [Some-State]:Some state Locality Name (eg, city) :Some City Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Organisation Organizational Unit Name (eg, section) :IT Common Name (eg, YOUR name) :www.example.org Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
You should also verify on content of request with
$ openssl req -in www_csr.pem -text -verify -noout
before sending it.
Request a new server certificate from the StartSSL web site. When you are asked for CSR paste content of 'www_csr.pem' to box.
Copy certificate from web page and put in 'www_certificate.pem' file. You check contents of this file with...
$ openssl x509 -in www_certificate.pem -text -noout
You should test your server certificate like this:
$ openssl verify www_certificate.pem
If everything is working, you should see "OK", for example.
Here I should mention that you may not get OK response here (for example if you are working under Fedora Core), as sertificate does not contain CA servificates, you can concatenate certificates and verification will return OK response, but you really do not have to do this, as different software requires different settings. I will describe this in my later articles.