SSL certificates for Apache2, Courier, Exim4 and Jabberd2 on Debian

Creating SSL certificates for web, mail and IM servers is not well documented. Here are some notes on generating certificates on a Debian server, signed by your own certificate authority, plus instructions for using them on OS X (instructions for installing and configuring openssl, apache2 and mod_ssl, exim4, courier-imap-ssl, courier-pop3-ssl and jabberd2 are not included):

Certificate Authority

First of all you need to create a root Certificate Authority certificate [ca.crt], which will later be used to sign the other certificates. It's encrypted by a password-protected key [ca.key].

cd /usr/share/ssl-cert/
Create index and serial files
cp /dev/null ca.index
echo '01' >ca.serial
Edit file paths in the default config file
[here's mine]
nano ca.config
Generate key and certificate for signing authority
openssl genrsa -des3 -out ca.key 2048
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

(use . for everything except the Common Name, which is the name of your Certificate Authority, eg Example Certificate Authority)

So that OS X trusts all certificates signed by your Certificate Authority, download ca.crt then double-click and import it into the X509Anchors keychain using Keychain Access.

Apache2

For Apache, a key [example.org.key] is generated and used to encrypt a certificate request [example.org.csr], which is then signed by the Certificate Authority to produce the final certificate [example.org.crt]. The files are named this way so that you can have multiple certificates for virtual hosts. The keys must not be password protected, otherwise Apache will hang waiting for a password when it starts up.

Generate key and certificate for Apache
openssl genrsa -out example.org.key 2048
openssl req -new -key example.org.key -out example.org.csr

(use . for everything except the Common Name, which is the web server address, eg www.example.org)

Sign Apache certificate
openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out example.org.crt -infiles example.org.csr
Set up Apache
cp example.org.key /etc/apache2/ssl/
cp example.org.crt /etc/apache2/ssl/
nano /etc/apache2/sites-enabled/example.org
<VirtualHost *:443>
ServerName www.example.org

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/example.org.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.org.key
</VirtualHost>

apache2ctl stop
apache2ctl start

Courier

For Courier, a non-protected key [courier.key] is generated and used to encrypt a certificate request [courier.csr], which is then signed by the Certificate Authority to produce the final certificate [courier.crt]. The key and certificate are combined into a PEM file [courier.pem], which is then used for both the IMAP and POP3 servers.

Generate key and certificate for Courier
openssl genrsa -out courier.key 2048
openssl req -new -key courier.key -out courier.csr

(use . for everything except the Common Name, which is the mailserver address, eg mail.example.org)

Sign Courier certificate
openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out courier.crt -infiles courier.csr
Combine key and certificate into PEM file
nano courier.crt

(strip out eveything before the BEGIN CERTIFICATE line)

cat courier.key courier.crt > courier.pem
openssl gendh >> courier.pem
Set up Courier
cp courier.pem /etc/courier/imapd.pem
cp courier.pem /etc/courier/pop3d.pem
chmod 0600 /etc/courier/imapd.pem
chmod 0600 /etc/courier/pop3d.pem
/etc/init.d/courier-imap-ssl stop
/etc/init.d/courier-imap-ssl start
/etc/init.d/courier-pop-ssl stop
/etc/init.d/courier-pop-ssl start

Exim

For Exim4, a non-protected key [exim.key] and certificate request [exim.csr] are generated. The request is then signed by the Certificate Authority to produce the final certificate [exim.crt].

Generate key and certificate for Exim4
openssl req -newkey rsa:2048 -keyout exim.key -out exim.csr -days 3650 -nodes

(use . for everything except the Common Name, which is the SMTP server address, eg smtp.example.org)

Sign Exim4 certificate
openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out exim.crt -infiles exim.csr
Set up Exim4
cp exim.crt /etc/exim4/exim.crt
cp exim.key /etc/exim4/exim.key
chown root:Debian-exim /etc/exim4/exim.key /etc/exim4/exim.crt
chmod 640 /etc/exim4/exim.key /etc/exim4/exim.crt
/etc/init.d/exim4 stop
/etc/init.d/exim4 start

Jabberd2

For Jabberd2, a non-protected key [jabberd.key] is generated and used to encrypt a certificate request [jabberd.csr], which is then signed by the Certificate Authority to produce the final certificate [jabberd.crt]. The key and certificate are combined into a PEM file [jabberd.pem], which is used for messages between client and server.

Generate key and certificate for Jabberd
openssl genrsa -out jabberd.key 2048
openssl req -new -key jabberd.key -out jabberd.csr

(use . for everything except the Common Name, which is the Jabber server address, eg jabber.example.org)

Sign Jabberd certificate
openssl ca -config ca.config -keyfile ca.key -cert ca.crt -out jabberd.crt -infiles jabberd.csr
Combine key and certificate into PEM file
nano jabberd.crt

(strip out eveything before BEGIN CERTIFICATE)

cat jabberd.key jabberd.crt > jabberd.pem
Set up Jabberd
cp jabberd.pem /usr/local/etc/jabberd/
chown root:jabber /usr/local/etc/jabberd/jabberd.pem
chmod 640 /usr/local/etc/jabberd/jabberd.pem

( edit all xml files so that points to /usr/local/etc/jabberd/jabberd.pem )

su jabber
jabberd &

Psi is the only OS X Jabber client (as far as I know) that verifies the authenticity of SSL certificates, though there is an option to hide warnings. It comes with a set of root certificates, to which you have to add the certificate for your root Certificate Authority (instead of using the system Keychain).

In ca.crt, replace

-----BEGIN CERTIFICATE-----

with

<certificate><data>

and 

-----END CERTIFICATE-----

with

</data></certificate>

Do Show Package Contents on Psi.app, then open Contents/Resources/certs/rootcert.xml and add in the new data from ca.crt. Connect to the server on port 5223.

February 21, 2005

Comments

Thanks soo much, this is exactly what I was looking for.

Posted by: Anonymous on March 27, 2005 4:03 AM

:) thank you for the nice howto.

Posted by: Luther Blissett on March 28, 2005 1:44 PM

Thanks a lot! Very nice and extremely useful howto! Matched my config too ;)

Posted by: mastabog on April 14, 2005 2:38 AM

Very helpful howto. Has much time saved me. Thanks!

Posted by: Mario Neubert on April 14, 2005 2:57 AM

yep, great work. save me a lot of time, too.

Posted by: goofy on June 10, 2005 11:07 AM

Good stuff. The overall HowTo is a bit terse, there could be more information or more explanation. I used this with Apache 1.3.33 so perhaps that proves it is clear enough for anyone to use.

Well done.

Posted by: Jeremiah Foster on July 19, 2005 3:14 PM

Thanks for your very clear howto, I installed Apache2 + Courier + Postfix, over SSL, and everything is running fine !

Posted by: Anw on January 29, 2006 12:54 PM

Ahh, I wish all howto's written like this!!

Just one comment to save someones 5 min :)

If you need more than one certificate you need to set 'unique_subject = no' in ca.config and redo steps for every cerificate:

cp /dev/null ca.index
echo '01' >ca.serial

cp /dev/null ca.index
echo '02' >ca.serial

... etc

Thank you!!

Posted by: Igor Križanovskij on March 10, 2006 5:45 AM

Superb Howto!

Just needed to remember that because the exim server is behind a NAT and my test client on the same LAN that I had to set up a hosts file and connect to the FQDN rather than the local IP address then it all worked

Oh and syncronising my clocks helped LOL

Thanks for the easy to follow pasteable instructions

Posted by: Hill Ruyter on April 17, 2006 8:20 PM

thanks a *lot*, that cleared up a whole bunch of confusion!
if you'd ever travel to Warsaw, Poland, drop me a line and you'll get your free, ice-cold beer or two for this one!

Posted by: rysiek on July 24, 2006 6:07 AM

Note that modifying the X509 keychain may be only possible for admin users. In my experiences it seems actions like adding or deleting certificates to the X509 anchors keychain will be done but the modification is not really saved to the keychain.

Posted by: Bernhard on October 21, 2006 8:55 AM

THX a lot !

Posted by: Philipp on June 22, 2007 6:15 AM

THX!

Posted by: Yannik on March 19, 2008 7:02 PM

Thank you..

There's all kinds of scripts and tools but when you just need openssl to create some self-signed CAs it can be damn near impossible to find "to the point" info... Saved some nerves you did.

Posted by: Ville on August 3, 2008 11:15 AM

Hi!
Just a little tip: You can get free server certificates from www.cacert.org.

Sad enough, the root certificate is not yet in browsers or emails clients, but they're working on an audit to get acknowledged.

Until then, browser and emails clients will nag about the certificate, but they will do so with self-signed all the way :)

To do so, you'll have to paste the .csr file to cacert and write the result to .crt, leaving the signation from your own self-root-ca aside.

Posted by: Marco on October 23, 2008 11:15 AM

Exim4 notes are golden! Thanks

Posted by: Vince on April 15, 2009 10:43 PM

All fields are optional, email address will not be shown; no HTML, URLs are automatically hyperlinked.