Setup guide

When prompted, enter a strong, unique passphrase to protect the web server key

pair.

Next, generate a Certificate Signing Request (CSR) for the CA:

sudo openssl req -new -key webserver.key -out webserver.csr

Enter the passphrase for the web server key pair and then fill out the following fields

as completely as possible:

Country Name: Organizational Unit:

State or Province Name: Common Name:

Locality Name (city): Email Address:

Organization Name:

The Common Name field is critically important. It must match the domain name of

your server exactly (e.g. www.mypage.net) or the certificate will not work. Leave the

challenge password and an optional company name blank.

Sign webserver.csr as follows:

sudo openssl ca -in webserver.csr -out webserver.crt

When prompted, enter the CA passphrase to continue and then complete the

process.

The certificate files needed to enable SSL on a web server are now in the

/usr/share/certs directory. As described in the “Securing Web Services”

section, some of these files will need to be moved to the web server.

4.4.1.3 Creating an SSL Certificate for E-mail Services

The steps to create SSL certificates for the mail server are similar to those for the

web server. If the mail server and web server exist on the same machine and use the

same domain name, the same server certificate could be used for both servers.

However, this is not recommended.

To create a new mail server certificate, open the Terminal, change to the

/usr/share/certs directory created in the section “Creating a CA to Sign

Certificates,” and issue this command to create a key pair for the mail server:

sudo openssl genrsa -out mailserver.key 2048

This differs from the web server certificate in that it is not encrypted (No -des3

option). The mail server requires an unencrypted key.

UNCLASSIFIED