elstar.com.au

how to generate a server certificate


to create a server certificate using cacert.org
On your server run
# openssl genrsa -des3 -out imaps.example.org.key 1024
at Enter pass phrase for imaps.example.org.key:
next
# openssl req -new -key imaps.example.org.key -out imaps.example.org.csr
at Enter pass phrase for imaps.example.org.key:

cat imaps.example.org.csr

copy the certificate displayed on the screen

login to http://www.cacert.org/
login
click on domains and add your domain into the list of domains you manage.
click Server certificates
click New
paste in your CSR(Certificate Signing Request) in the text area on the form
now copy the generated certificate
and create a new file on the server imaps.example.org.cert
and paste the resulting certificate from CACert into imaps.example.org.cert.

create a nopassword version of file
openssl rsa -in imaps.example.org.key -out imaps.example.org.nopassword.key

copy the imaps.example.org.cert file to the /etc/ssl/certs folder
copy the imaps.example.org.nopassword.key files to the /etc/ssl/private folder

To Renew a Server Certificate

login to http://www.cacert.org/
Click on the Server Certificates menu item on the right side menu
Click on the view menu item

tick the certificate you wish to renew,
and click the renew button
The new certificate is displayed on the screen
highlight the certificate text and copy

login to your server and edit the old cert file and replace the text in the file with the new text copied from the cacert site.
vi /etc/ssl/certs/mail.xxxx.com.au.cert


Note! we use the certificate in stunnel /usr/local/etc/stunnel/stunnel.conf
cert= /etc/ssl/certs/mail.xxxx.com.au.cert
key= /etc/ssl/private/mail.xxxx.com.au.nopassword.key