Nichewares & Consulting, LLC

This doc describes the process of generating an ssl.key, and ssl csr (certificate request), having it signed by a CA, and installing the final singed crt (certificate) to use with apache, imap and pop3.

This procedure is for RHEL3, but should apply to RHEL4. Backup any pre-existing ssl key, csr, or crt files in /etc/httpd/conf/*


Creating an SSL Key

1. cd /etc/httpd/conf
2. Although it's recommended to enter a passphrase on the ssl key, doing so will require human intervention (i.e. someone must manually enter the passphrase) everytime the apache server restarts. This breaks any automated restarts (i.e. those done by scripts or cluster software). Therefore, this process will use the Redhat alternate method for generating the key, which won't require a passphrase. So, run the following:

/usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

chmod 600 /etc/httpd/conf/ssl.key/server.key


Creating a Certificate Request

1. cd /usr/share/ssl/certs

2. Run the following:

make certreq

-Don't enter a passphrase when prompted--> just press <enter>
-Country Name: US
-State or Province Name: Colorado
-Locality Name: City
-Organization Name: Some Company
-Organizational Unit Name: Technology
-Common Name (your server's FQDN): server.example.com
-Email Address: postmaster@example.com
-A challenge password: leave blank --> just press <enter>
-An optional company name: leave blank --> just press <enter>

3. The csr file has now been created as /etc/httpd/conf/ssl.csr/server.csr

4. Submit this new csr to a CA (like Comodo) for them to sign. They will send back a newly signed certificate. In addition, Comodo will send their bundled certificate files that will be used as chained certificates. Essentially, Comodo is not a top-level CA, so their keys and certificates are signed by GTE. GTE is a root CA, which is trusted by most browsers and email clients. So, the signed cert we get back needs the GTE certificate to work correctly.

5. Save the signed cert as /etc/httpd/conf/ssl.crt/server.crt


Installing the signed certificate

A. Apache

1. You should now have three files: server.key, server.csr and server.crt. Each is in the corresponding directory in /etc/httpd/conf. Save the Comodo bundled certificate file (this can also be downloaded from their site) as /etc/httpd/conf/ssl.crt/GTE_and_Comodo-bundled.crt

2. The server.csr is no longer needed. Since we have a multiple signed certificates, I prefer to name all the files according to the server they're on. For instance, on a mail server, rename server.key to mail.key, and rename server.crt to mail.crt. For completedness if you keep the csr, rename it from server.csr to mail.csr.

3. Edit /etc/httpd/conf.d/ssl.conf by setting the following lines:
SSLCertificateFile /etc/httpd/conf/ssl.crt/mail.crt
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/mail.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/GTE_and_Comodo-bundle.crt

4. Restart apache.

B. IMAP and POP3

1. cd /usr/share/ssl/certs

2. Create two files: imapd.pem and ipop3d.pem; set permissions to 600 on both.

3. In the imapd.pem file, copy and paste in the specified order:
a. the contents of /etc/httpd/conf/ssl.key/mail.key
b. the contents of /etc/httpd/conf/ssl.crt/mail.crt
c. the contents of /etc/httpd/conf/ssl.crt/GTE_and_Comodo-bundle.crt

4. In the ipop3d.pem file, copy and paste in the specified order:
a. the contents of /etc/httpd/conf/ssl.key/mail.key
b. the contents of /etc/httpd/conf/ssl.crt/mail.crt
c. the contents of /etc/httpd/conf/ssl.crt/GTE_and_Comodo-bundle.crt

5. Since these two services are handled by xinetd, you don't need to restart any service to activate the new crt.


NOTE:
In the case of a two-node cluster, copy the key and crt (both mail.crt and GTE*.crt) to the second mail server and repeat process for installing certificates. Leave the name of the files the same.