Posts Tagged SSL

OpenSSL certificate generation

You must hae the CA configured properly, this no not the scope of this post.

For self-signed certificate

The self-signed certficate is in the <hostname>.crt, the private key is in the <hostname>.key

openssl req -x509 -newkey rsa:4096 -keyout <hostname>.key -out <hostname>.crt -days 365

For CSR (Client Certificate Request)

The request is in the <hostname>.csr, the private key is in the <hostname>.key.

-nodes option will turn off the password request, which is a Bad Idea for personal certificates and is sometimes used for server sertificates.

openssl req -newkey rsa:4096 -sha256 -nodes -out <hostname>.csr -outform PEM

mv mv privkey.pem <hostname>.pem

To generate a DH key

Make sure to adjust the Apache configuration accordingly, https://httpd.apache.org/docs/trunk/ssl/ssl_faq.html and https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

To sign a CSR

The request is in the <hostname>.csr, the signed certificates is in the <hostname>.crt.

openssl ca -policy signing_policy -extensions signing_req -out <hostname>.crt -infiles <hostname>.csr

To verify a certificate or request

The request is in the <hostname>.csr, the certificates is in the <hostname>.crt.

openssl x509 -in <hostname>.crt -text -noout
openssl req -text -noout -verify -in <hostname>.csr

Tags: ,

SSL, Postfix and IMAP

When setting up authenticated SMTP service, be sure your IMAP server is accessible. The reason for this is Postfix will check the username using SASLauth daemon. And SASLauth damon uses “rimap” method for checking the username. Rimap is “remote IMAP”, and it tries to log into the configured IMAP service, which by default is defined as ‘localhost’.

Read the rest of this entry »

Tags: , ,

Rant on Apache2

Recently I was trying to move my sites to SSL – for various reasons.
The test site went fluently, while the work machine refused to serve SSL content. While testing with ‘wget’, the error I received was

GnuTLS: An unexpected TLS packet was received.

Read the rest of this entry »

Tags: , ,