How to create SSL certificate in Linux Introduction
SSL certificate establishes a secure connection between smtp mail server and an email client. This tutorial is a guide teach you how to create ssl certificate in Linux for your mail server. We will see the step by step ssl certificate installation and configuration of postfix smtp mail server. What is Postfix? Postfix in an open source Mail Transfer Agent (MTA), which is used for transferring emails. An alternative of postfix is sendmail. Both Postfix and sendmail can work as an smtp server, but here we are going to try on postfix.
You need to create an SSL private key and CSR (Certificate Signing Request), then you need to submit your CSR to any CA (Certificate Authority), which will certify the ownership.
What is SSL?
SSL is a security technology which establishes encrypted connection between web browser and server. It is also referred as cryptographic protocol. It is widely used in VoIP, email, web browsing, etc.
1. Create a directory 'ssl'
Lets first create a directory under postfix and name the directory as 'ssl'. Please look at the example given below.
# mkdir /etc/postfix/ssl
2. Change the directory to ssl.
Now, in this step change the directory to ssl.
# cd /etc/postfix/ssl
3. Create SSL private key and CSR
First of all install openssl in your Linux system. We will use this tool to create ssl private key.
# yum install openssl
In this step we are going to create ssl private key and CSR. Give the name of your own mail server in place of 'mymailserver'.
# openssl req -new -nodes -keyout smtp.mymailserver.com.key -out smtp.mymailserver.com.csr Generating a 2048 bit RSA private key ................................+++ ....................................................................+++ writing new private key to 'smtp.mymailserver.com.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. -----
You have to fill some field like country, state, city and organization name and optionally you can leave some fields blank which are not required, then it will ask for the password, give the password of your choice.
The above command will create two files 'smtp.mymailserver.com.key' and 'smtp.mymailserver.com.csr' under ssl directory. ls to confirm certificate is created.
# ls smtp.mymailserver.com.csr smtp.mymailserver.com.key
4. What is inside csr and .key file?
Lets have a quick look of what is inside these files.
# cat smtp.mymailserver.com.key -----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDfCHuSbR2vwnGY Q2vXqYcpfaE4Wwx5E0Scqh7/62uuDr7D+herZEJFr8IJkFfINR/fe5ElL/i/vKLz WdJbmDJ1vVgf7FttrmV4tEg6D9iJW9mDYm0Oh28CetmpsYT31N3Qqd+Kp97rjfRv -----END PRIVATE KEY-----
# cat smtp.mymailserver.com.csr -----BEGIN CERTIFICATE REQUEST----- MIIC2zCCAcMCAQAwfTELMAkGA1UEBhMCSU4xFDASBgNVBAgMC1dFU1QgQkVOR0FM MRAwDgYDVQQHDAdLT0xLQVRBMREwDwYDVQQKDAhUZWNoc2FraDEfMB0GA1UECwwW SW5mb3JtYXRpb24gdGVjaG5vbG9neTESMBAGA1UEAwwJbWFpbG1hbmlhMIIBIjAN -----END CERTIFICATE REQUEST-----
5. Create CA certificate
CA ( Certificate Authority or Certification Authority ) is a digital SSL certificate provider. In the above step when the smtp.mymailserver.com.csr file is created. Copy the content of the file and paste it into your CA account. This certificate will certify your public key ownership. It helps other users to rely on your signature. To create CA certificate for your mail server go here.
6. Create Self signing SSL certificate
If you don't want to create ssl CA certificate, you can alternatively choose to create a self signing certificate for your small private LAN for testing purpose. The given command will do the task.
# openssl x509 -req -days 3650 -in smtp.mymailserver.com.csr -signkey smtp.mymailserver.com.key -out smtp.mymailserver.com.crt Signature ok subject=/C=IN/ST=######/L=#######/O=######/OU=#######/CN=mymailserver Getting Private key
ls to confirm .crt file is created
# ls smtp.mymailserver.com.crt
7. Create .pem file
Pem file is required to contain both your private key and certificate.
# openssl req -new -x509 -extensions v3_ca -keyout ca_cert.pem -out ca_cert.pem -days 3650 Generating a 2048 bit RSA private key .........................+++ ................................................+++ writing new private key to 'ca_cert.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----
ls again to confirm .pem file is created
# ls ca_cert.pem
8. Modify main.cf file
under postfix directory, inside main.cf file edit the following lines to enable TLS and SSL.
######SSL-AUTHENTICATION########## smtpd_sasl_auth_enable = yes smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_recipient_restrictions = permit_sasl_authenticated, reject_unauth_destination, permit_mynetworks
TLS-AUTHENTICATION######### smtp_use_tls = yes smtpd_use_tls = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/postfix/ssl/smtp.mymailserver.com.key smtpd_tls_cert_file = /etc/postfix/ssl/smtp.mymailserver.com.crt smtpd_tls_CAfile = /etc/postfix/ssl/ca_cert.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom
9. Reload postfix
After editing main.cf file you need to reload postfix to update the configuration.
# postfix reload.
10. Test TLS or SSL
Now test your SSL configuration with telnet.
# telnet smtp.mymailserver.com 25
you will see the following output.
This is it with the article How to create SSL certificate in Linux for your (Postfix) mail server