Get a Certificate from StartSSL

Table of Contents [hide]

Introduction

I wanted to add TLS/SSL capability to lighttpd, vsftpd, Postfix, Dovecot, etc. I also wanted to do this using the free SSL provider, StartSSL.

Install common CA certificates 

sudo apt-get install ssl-cert ca-certificates

Signup at StartSSL.com

Once your have registered you need to add your domain and the verify the domain addition from the email that gets sent out.

Create a Certificate Signing Request 

openssl req -new -newkey rsa:2048 -nodes -keyout www_privatekey.pem -out www_csr.pem

Sample

Generating a 2048 bit RSA private key
..................................++++++
....................++++++
writing new private key to 'www_privatekey.pem'
-----
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:GB
State or Province Name (full name) [Some-State]:Someshire
Locality Name (eg, city) []:Some City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Some Organisation
Organizational Unit Name (eg, section) []:IT
Common Name (eg, YOUR name) []:www.example.org
Email Address []:hostmaster@example.org

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Verify the content of your request

You should also verify on content of request with

openssl req -in www_csr.pem -text -verify -noout

before sending it.

Send your public key to be signed by StartSSL authority

Request a new server certificate from the StartSSL web site. When you are asked for CSR paste content of ‘www_csr.pem’ to box.

Save your server certificate

Copy certificate from web page and put in ‘www_certificate.pem’ file. You check contents of this file with…

openssl x509 -in www_certificate.pem -text -noout

Test your server certificate

You should test your server certificate like this:

openssl verify www_certificate.pem

If everything is working, you should see “OK”, for example.

www_certificate.pem: OK

Create Lighttpd Certificate

This broadly describes how to get StartSSL certificates working with lighttpd.

cat www_certificate.pem www_privatekey.pem > /etc/ssl/private/lighttpd.pem
chown root:www-data /etc/ssl/private/lighttpd.pem
chmod 640 /etc/ssl/private/lighttpd.pem
wget http://www.startssl.com/certs/ca.pem -O ca.pem
wget http://www.startssl.com/certs/sub.class1.server.ca.pem -O sub.class1.server.ca.pem
cat ca.pem sub.class1.server.ca.pem > /etc/ssl/certs/lighttpd.pem
chown root:root /etc/ssl/certs/lighttpd.pem
chmod 644 /etc/ssl/certs/lighttpd.pem

The SSL portion of the lighttpd config should look something like this.

 $SERVER["socket"] == "0.0.0.0:443" {
                  ssl.engine                  = "enable"
                  ssl.ca-file                 = "/etc/ssl/certs/lighttpd.pem"
                  ssl.pemfile                 = "/etc/ssl/private/lighttpd.pem"
 }

Test https

wget http://www.startssl.com/certs/ca.pem -O /tmp/ca.pem
openssl s_client -CAfile /tmp/ca.pem -connect www.flexion.org:443

Create Postfix Certificate

This broadly describes how to get StartSSL certificates working with Postfix.

wget http://www.startssl.com/certs/ca-bundle.crt -O ca-bundle.crt
cat ca-bundle.crt > /etc/ssl/certs/ca-bundle.crt
chmod 644 /etc/ssl/certs/ca-bundle.crt
cat /etc/ssl/certs/mail_certificate.pem > /etc/ssl/certs/postfix.pem
cat /etc/ssl/private/mail_privatekey.pem > /etc/ssl/private/postfix.pem
chown root:ssl-cert /etc/ssl/private/postfix.pem
chmod 644 /etc/ssl/private/postfix.pem
chown root:root /etc/ssl/certs/postfix.pem
chmod 444 /etc/ssl/certs/postfix.pem

The TLS portion of the Postfix config should look something like this.

smtp_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtp_tls_cert_file = /etc/ssl/certs/postfix.pem
smtp_tls_key_file = /etc/ssl/private/postfix.pem
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_tls_session_cache
smtp_use_tls = yes

smtpd_tls_CAfile = /etc/ssl/certs/ca-bundle.crt
smtpd_tls_cert_file = /etc/ssl/certs/postfix.pem
smtpd_tls_key_file = /etc/ssl/private/postfix.pem
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_tls_session_cache
smtpd_use_tls = yes

smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtpd_tls_auth_only = no
tls_random_source = dev:/dev/urandom

Test smtp for TLS

telnet mail.example.org 25

You should get a banner similar to this.

Trying 127.0.0.1...
Connected to mail.example.org.
Escape character is '^]'.
220 mail.flexion.org NO UCE ESMTP

Issue a EHLO command

EHLO test.com

You should not see something like this. Check you can see 250-STARTTLS.

250-mail.example.org
250-PIPELINING
250-SIZE 52428800
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

Issue the STARTTLS command

STARTTLS

If you see the following, you are all set.

220 2.0.0 Ready to start TLS

Create Dovecot Certificate

This broadly describes how to get StartSSL certificates working with Dovecot.

wget http://www.startssl.com/certs/sub.class1.server.ca.pem -O sub.class1.server.ca.pem
cat www_certificate.pem sub.class1.server.ca.pem > /etc/ssl/certs/dovecot.pem
cat www_privatekey.pem > /etc/ssl/private/dovecot.pem
chown root:ssl-cert /etc/ssl/private/dovecot.pem
chmod 644 /etc/ssl/private/dovecot.pem
chown root:root /etc/ssl/certs/dovecot.pem
chmod 444 /etc/ssl/certs/dovecot.pem

The SSL portion of the Dovecot config should look something like this.

ssl_cert_file = /etc/ssl/certs/dovecot.pem
ssl_key_file = /etc/ssl/private/dovecot.pem

Test imaps

wget http://www.startssl.com/certs/ca.pem -O /tmp/ca.pem
openssl s_client -CAfile /tmp/ca.pem -connect mail.example.org:993

Create eJabberd Certificate

This broadly describes how to get StartSSL certificates working with eJabberd.

cat www_privatekey.pem www_certificate.pem sub.class1.server.ca.pem > /etc/ejabberd/ejabberd.pem
chown ejabberd:ejabberd /etc/ejabberd/ejabberd.pem
chmod 400 /etc/ejabberd/ejabberd.pem

The SSL portion of the eJabberd config should look something like this.

 {5222, ejabberd_c2s, [
                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536},
                        starttls, {certfile, "/etc/ejabberd/ejabberd.pem"}
                       ]},

 {s2s_use_starttls, true}.
 {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

Create vsftpd Certificate

This broadly describes how to get StartSSL certificates working with vsftpd.

cat www_certificate.pem > /etc/ssl/certs/vsftpd.pem
cat www_privatekey.pem > /etc/ssl/private/vsftpd.pem
chown root:ssl-cert /etc/ssl/private/vsftpd.pem
chmod 644 /etc/ssl/private/vsftpd.pem
chown root:root /etc/ssl/certs/vsftpd.pem
chmod 444 /etc/ssl/certs/vsftpd.pem

The SSL portion of the vsftpd config should look something like this.

rsa_cert_file=/etc/ssl/certs/vsftpd.pem
rsa_private_key_file=/etc/ssl/private/vsftpd.pem
ssl_enable=YES
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO

Leave a Reply