2009/02/08

Renewing SSL certificates

As my home server's SSL certificates are going to expire soon, I need to renew them.
But it has been over one year since the certificates are created, I've forgotten how to make them, so I've done some research, to be record, here are the steps:
1. Generating RSA private key
openssl genrsa -des3 -out server.key 1024

2. Making certificate request
openssl req -new -key server.key -out server.csr
3. Go to CACert.org to generate the certificate, using the server.csr file.
4. Or self sign using openssl command
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Then a certificate file is generated.

To use the certificate in Apache:
SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.pem


To use the certificate in Postfix:
smtpd_tls_CAfile = /etc/ssl/postfix/cacert.pem
smtpd_tls_cert_file=/etc/ssl/postfix/home.cert
smtpd_tls_key_file=/etc/ssl/postfix/home.pem

To use the certificate in Courier IMAP:
Make a server.key, with contents from server.crt and server.pem combined, like:
-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[encoded data]
-----END RSA PRIVATE KEY-----
Then configure in imapd-ssl
TLS_CERTFILE=/etc/courier-imap/imapd.crt