Appendix E. Generating SSL certificates |
For the Dr.Web for UNIX Mail Servers components that use a secure SSL/TLS data channel and application protocols, such as HTTPS, LDAPS, SMTPS, and so on, it is necessary to provide private SSL keys and the corresponding certificates. Keys and certificates for some components are generated automatically; and for others—they should be provided by the Dr.Web for UNIX Mail Servers user. All the components use certificates in the PEN format. To generate private keys and certificates used for connections via SSL/TLS, including verification certificates of Certification Authority (CA) and signed certificates, you can use the command-line utility openssl (included in an OpenSSL cryptographic package). Consider sequence of actions required for generating a private key and the corresponding SSL certificate together with a SSL certificate signed by the CA verification certificate. To Generate a Private SSL Key and a Certificate 1.To generate a private key (the RSA algorithm, the key length is 2048 bits), execute the command:
If you want to password-protect the key, use the -des3 option. The generated key is in the file keyfile.key located in the current directory. To view the key, use the command:
2.To generate a certificate for the specified time period, based on the existing private key (in this case, for 365 days), execute the command:
To scan the contents of the generated certificate, use the command:
To Register a Certificate as a Trusted CA Certificate 1.Move or copy the certificate file to the system trusted certificate directory (/etc/ssl/certs/ in Debian/Ubuntu). 2.In the trusted certificate directory, create a symbolic link to the certificate, where the name of the link is the hash value of the certificate. 3.Reindex the contents of the system directory containing certificates. The example below performs all these three actions. This assumes that the current certificate directory is the trusted certificates directory /etc/ssl/certs/ and the certificate that is registered as a trusted one is located in the /home/user/ca.crt file:
To create a signed certificate 1.Generate a request for signing a certificate (Certificate Signing Request, CSR) based on the existing private key. If the key is absent, generate it. The request for signing is created with the command:
This command, as well as the command responsible for certificate creation, requests data that should identify the certified object. keyfile.key here is the existing file of the private key. The received request will be saved to the file request.csr. To check the result of request creation, use the command:
2.Create a signed certificated, based on the request and the existing CA certificate, by using the command:
Use the following command to check the result:
Repeat this procedure as many times as unique certificates you want to create. For example, every agent for distributed file scanning Dr.Web Network Checker within a scanning cluster should has its own key and certificate. Modifying a signed certificate Some browsers or mail clients may require modification of the signed certificate, used for authorization, to the PKCS12 format. You can modify the certificate using the command:
Sigcert.crt here is an existing file of the signed certificate. keyfile.key is a file of the corresponding private key. The modified certificate is saved to sigcert.pfx. |