I was trying to set up a self-signed certificate for dovecot by hand (not with mkcert.sh), when I encountered this:
generate an rsa key for dovecot. application rsa keys must not be encrypted (e.g. password protected, des/des3)
[root@rhel58-clone1 ~]# mkdir dovecot; cd dovecot
[root@rhel58-clone1 dovecot]# openssl genrsa -out dovecot.key 2048
generate a certificate signing request
[root@rhel58-clone1 dovecot]# openssl req -new -key dovecot.key -out dovecot.csr
sign with your CA:
[root@rhel58-clone1 dovecot]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Error opening CA private key ../../CA/private/CA.key
3765:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('../../CA/private/CA.key','r')
3765:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
edit /etc/pki/tls/openssl.cnf:
[root@rhel58-clone1 dovecot]# vi /etc/pki/tls/openssl.cnf
dir = /etc/pki/CA
[root@rhel58-clone1 dovecot]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/CA.key:
Error opening CA certificate /etc/pki/CA/cacert.pem
3771:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/cacert.pem','r')
3771:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load certificate
make another edit:
[root@rhel58-clone1 dovecot]# vi /etc/pki/tls/openssl.cnf
certificate = $dir/CA.crt
[root@rhel58-clone1 dovecot]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/CA.key:
I am unable to access the /etc/pki/CA/newcerts directory
/etc/pki/CA/newcerts: No such file or directory
eh, then why don't you create it? lazy openssl...
[root@rhel58-clone1 dovecot]# mkdir /etc/pki/CA/newcerts
[root@rhel58-clone1 dovecot]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/CA.key:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
3789:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/index.txt','r')
3789:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
[root@rhel58-clone1 dovecot]# touch /etc/pki/CA/index.txt
[root@rhel58-clone1 dovecot]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/CA.key:
/etc/pki/CA/serial: No such file or directory
error while loading serial number
3792:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/pki/CA/serial','r')
3792:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
[root@rhel58-clone1 dovecot]# touch /etc/pki/CA/serial
[root@rhel58-clone1 dovecot]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/CA.key:
unable to load number from /etc/pki/CA/serial
error while loading serial number
3803:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
[root@rhel58-clone1 dovecot]# echo 01 > /etc/pki/CA/serial
[root@rhel58-clone1 dovecot]# openssl ca -in dovecot.csr -out dovecot.crt
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/CA.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Sep 14 12:48:54 2012 GMT
Not After : Sep 14 12:48:54 2013 GMT
Subject:
countryName = SG
stateOrProvinceName = Singapore
organizationName = EXAMPLE.COM
commonName = rhel58-clone1.example.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
B9:62:6E:2E:F0:5D:F9:9C:91:49:C8:BC:A8:0B:3A:C6:F1:70:09:B3
X509v3 Authority Key Identifier:
keyid:7E:F5:F4:F1:A5:8A:D5:DD:2C:01:93:FD:78:CA:8C:C0:37:8D:85:63
Certificate is to be certified until Sep 14 12:48:54 2013 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
(*facepalm* finally...)examine dovecot.conf to know where to copy these files:
defaults:
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.pem
ssl_key_file = /etc/pki/dovecot/private/dovecot.pem
edit to:
ssl_cert_file = /etc/pki/dovecot/certs/dovecot.crt
ssl_key_file = /etc/pki/dovecot/private/dovecot.key
copy the files:
[root@rhel58-clone1 dovecot]# mv dovecot.key /etc/pki/dovecot/private/
[root@rhel58-clone1 dovecot]# mv dovecot.crt /etc/pki/dovecot/certs/
[root@rhel58-clone1 dovecot]# service dovecot restart
Setting up CA
edit /etc/pki/tls/openssl.cnf:
[root@rhel58-clone1 ~]# vi /etc/pki/tls/openssl.cnf
dir = /etc/pki/CA
certificate = $dir/CA.crt
then:
[root@rhel58-clone1 ~]# cd /etc/pki/CA
[root@rhel58-clone1 CA]# openssl genrsa -out private/CA.key 2048
[root@rhel58-clone1 CA]# chmod 600 private/CA.key
[root@rhel58-clone1 CA]# openssl req -new -x509 -key private/CA.key -days 365 -out CA.crt
[root@rhel58-clone1 CA]# mkdir newcerts; touch index; echo 01 > serial
No comments:
Post a Comment