Get a Certificate from CACert
- 1 Introduction
- 1.1 Install common CA certificates
- 1.2 Signup at CAcert.org
- 1.3 Get the Certificate Signing Request Generator
- 1.4 Create a Private TLS
- 1.5 Verify the content of your request
- 1.6 Send your public key to be signed by CAcert.org authority
- 1.7 Save your server certificate
- 1.8 Test your server certificate
- 2 SSL on Lighttpd
Introduction ¶
I wanted to add TLS/SSL capability to Lighttpd, vsftpd, Postfix, Dovecot, etc and also use CACert.org to sign my certificates. This is still to be refined but was essentially accurate last time I reviewed it although I no longer use CACert.org.
Install common CA certificates ¶
aptitude install ssl-cert ca-certificates
Signup at CAcert.org ¶
Once your have registered you need to add your domain (example.org, for example) and the verify the domain addition from the email that gets sent out.
Get the Certificate Signing Request Generator ¶
wget http://svn.cacert.org/CAcert/Software/CSRGenerator/csr -O /usr/local/sbin/csr.sh chown root:root /usr/local/sbin/csr.sh chmod 750 /usr/local/sbin/csr.sh
Create a Private TLS ¶
I am making a wild card certificate here. There are potential issues with this, I have not completed all the testing to see what issues this may through up.
/usr/local/sbin/csr.sh
Sample
Short Hostname (ie. imap big_srv www2): example FQDN/CommonName (ie. www.example.com) : *.example.org Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish SubjectAltName: DNS:*.example.org SubjectAltName: DNS:
The Certificate request is also available in ‘/root/example_csr.pem’
The Private Key is stored in ‘/root/example_privatekey.pem’
Move the files, change the ownership and permissions…
mv /root/example_privatekey.pem /etc/ssl/private chown root:ssl-cert /etc/ssl/private/example_privatekey.pem chmod 640 /etc/ssl/private/example_privatekey.pem
Verify the content of your request ¶
You should also verify on content of request with
openssl req -in /root/example_csr.pem -text -verify -noout
before sending it.
Send your public key to be signed by CAcert.org authority ¶
Request a new server certificate from CAcert.org web site. When you are asked for CSR paste content of ‘/root/example_csr.pem’ to box.
Save your server certificate ¶
Copy certificate from web page and put in ‘/etc/ssl/certs/example_certificate.pem’ file. Remember to do…
chown root:root /etc/ssl/certs/example_certificate.pem chmod 444 /etc/ssl/certs/example_certificate.pem
…so that everybody can read it. You check contents of this file with…
openssl x509 -in /etc/ssl/certs/example_certificate.pem -text -noout
Validity and Subject fields should be checked at least.
Test your server certificate ¶
You should test your server certificate like this:
openssl verify /etc/ssl/certs/example_certificate.pem
If everything is working, you should see “OK”, for example.
/etc/ssl/certs/example_certificate.pem: OK
SSL on Lighttpd ¶
If you want to use a CACert.org certificate for Lighttpd then these additional steps are required. This just creates a ceritifcate suitable for use with Lighttpd, it doesn’t cover the SSL configuration of Lighttpd that is covered in my WebServer page.
cat /etc/ssl/private/example_privatekey.pem /etc/ssl/certs/example_certificate.pem > /etc/ssl/private/example_lighttpd.pem chgrp www-data /etc/ssl/private/example_lighttpd.pem chmod 640 /etc/ssl/private/example_lighttpd.pem
