Navodila so prirejena za uporabo v Linux okolju (Fedora Core 8) , certifikat je uporabljen v Postfix programu. TLS (Transport layer Security) je naslednik SSL-ja (Secure Sockets Layer) in je kriptografski protokol, ki omogoča varno povezavo za brskanje po internetu, uporabo elektronske pošt, ipd. V mojem primeru bom TLS uporabil za elektronsko pošto. Izdelava certifikata je povzeta po knjigi The Book of Postfix: State-of-the-Art Message Transport (Ralf Hildebrandt in Patrick Koetter). V mapi /usr/local/ssl/misc zaženemo naslednji ukaz in vneseš podatke, ki jih zahteva. Ime pustiš prazen:
# ./CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate …
Generating a 1024 bit RSA private key
…++++++
……………………………………..++++++
writing new private key to ‘./demoCA/private/cakey.pem’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:SI
State or Province Name (full name) [Berkshire]:Gorenjska
Locality Name (eg, city) [Newbury]:Radovljica
Organization Name (eg, company) [My Company Ltd]:humerca.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mail.humerca.com
Email Address []:klemen@humerca.com
Ustvari se mapa demoCA:
# ls demoCA/
cacert.pem
certs
crl
index.txt
newcerts
private
serial
cacert.pem je javni ključ, v mapi /private pa je datoteka cakey.pem, ki pa je privatni ključ. Sedaj je potrebno certifikat namestiti v vse kliente, ki se bodo povezovali na strežnik. Postaviš se v mapo demoCA. Sedaj certifikat pretvorimo v format, ki ga zahteva OS Windows.
# openssl x509 -in cacert.pem -out cacert.der -outform DER
V mapi je datoteka cacert.der, ki jo preneseš na računalnike klientov in dvakrat kliknš nanjo. Sedaj moramo narediti še certifikat za Postfix-a.
# openssl req -new -nodes -keyout postfix_private_key.pem -out postfix_private_key.pem -days 1825
Generating a 1024 bit RSA private key
………….++++++
…++++++
writing new private key to ‘postfix_private_key.pem’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:SI
State or Province Name (full name) [Berkshire]:Gorenjska
Locality Name (eg, city) [Newbury]:Radovljica
Organization Name (eg, company) [My Company Ltd]:humerca.com
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:mail.humerca.com
Email Address []:klemen@humerca.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:xxxxxxxxx
An optional company name []:humerca.com
Sedaj samo še iz privatnega naredimo javni pem certifikat. Če mapa demoCA ni v mapi misc jo tja prestavimo.
# openssl ca -policy policy_anything -out postfix_public_cert.pem -infiles postfix_private_key.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /usr/local/ssl/misc/demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
e3:2a:25:7a:e9:70:2e:95
Validity
Not Before: Mar 15 18:51:02 2008 GMT
Not After : Mar 15 18:51:02 2009 GMT
Subject:
countryName = SI
stateOrProvinceName = Gorenjska
localityName = Radovljica
organizationName = humerca.com
commonName = mail.humerca.com
emailAddress = klemen@humerca.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
28:BE:FD:4C:EC:03:80:8E:92:B9:88:D0:58:CA:48:B3:5F:75:63:F4
X509v3 Authority Key Identifier:
keyid:EB:73:D9:F8:D2:0A:45:B0:74:FC:2D:7F:A3:2B:49:3E:F1:10:28:07
DirName:/C=SI/ST=Gorenjska/L=Radovljica/O=humerca.com/CN=mail.humerca.com/emailAddress=klemen@humerca.com
serial:E3:2A:25:7A:E9:70:2E:94
Certificate is to be certified until Mar 15 18:51:02 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Sedaj skopiramo postfix_private_key.pem, postfix_public_cert.pem in cacert.pem v mapo /etc/postfix/certs oz. kjer imaš shranjene certifikate v Postfix-u. Če uporabljaš UW-IMAP, potem moraš iz javnega certifikata in privatnega ključa, kreirati imapd.pem.
cat postfix_public_cert.pem postfix_private_key.pem > imapd.pem
imapd.pem potem skopiraj v /etc/pki/tls/certs ali v /usr/local/ssl/certs, odvisno od konfigiracije. To je vse