Mac Mini install ssl certificate

最新推荐文章于 2022-11-24 18:07:47 发布

maxiaoqiang1

最新推荐文章于 2022-11-24 18:07:47 发布

阅读量763

点赞数

文章标签： ssl permissions server passwords dialog menu

In order to use mail servers securely, you need to encrypt all client/server communication (in particular, account passwords) via SSL. To use SSL for mail, you need SSL certificates for both your IMAP and SMTP servers.

Setting-up SSL
Generating a self-signed certificate
Obtaining a third-party-signed certificate
Importing the CA root certificate

Setting-up SSL

First, install the openssl package:

    apt-get install openssl

Then, set-up the SSL environment:

    cd /etc/ssl
    echo "01" > serial
    touch index.txt
    mkdir certs newcerts private        # if they don't already exist
    chmod 755 certs newcerts
    chmod 700 private

Generating a self-signed certificate

The easiest thing to do is to be your own certificate authority and sign your own server certificates. The downside is that mail clients will usually display a dialog box warning the user that the certificate was signed by an unknown certificate authority. It gets annoying to have to click OK all the time. (However, you can import the certificate so you don't ever have to click OK.)

To become your own certificate authority and get a self-signed server certificate:

Generate your own root certificate:

  cd /etc/ssl
  openssl req -new -x509 -keyout private/cakey.key -out certs/cacert.crt

Generate a server certificate request:
```
  openssl req -nodes -new -x509 -keyout private/server.key -out server.csr
```
Answer the questions that follow. For Common Name, enter your domain name.

Finally, sign the certificate request and get a certificate:

  openssl x509 -x509toreq -in server.csr -signkey private/server.key -out tmp.pem
  openssl ca -policy policy_anything -out certs/server.crt -infiles tmp.pem
  rm tmp.pem

The same private key and certificate can be used for both Dovecot and Sendmail: simply copy the files.

The reason the certificates and the private keys have to be copies rather than either hard or symbolic links is because they need different groups and permissions.

The permissions, users, and groups of the relevant files in the /etc/ssl directory should be:

    drwxr-xr-x  root root    certs/
    -rw-r--r--  root root      cacert.crt
    -rw-r-----  root dovecot   dovecot.crt
    -rw-------  root root      sendmail.crt
    -rw-r--r--  root root    index.txt
    drwx------  root root    private/
    -rw-------  root root      cakey.key
    -rw-r-----  root dovecot   dovecot.key
    -rw-------  root root      sendmail.key
    -rw-r--r--  root root    serial

Obtaining a third-party-signed certificate

You can get a certificate from one of the widely known certificate authorities such as Thawte or Verisign and mail clients will accept them without warning, but such a certificate costs hundreds of dollars. Alternatively, you can get a certificate for free from CAcert.

Currently, the CAcert root certificate isn't shipped with most client software. This means that using a certificate signed by CAcert is no better than using a self-signed certificate in that client software will still issue a warning and you'll still have to click OK (unless you import the certificate).
However, CAcert is working towards getting their root certificate shipped with most client software. Once that's done, then using them will be better than using self-signed certificates.

To use the CAcert root certificate and get a server certificate signed by CAcert:

Join CAcert.org.
Get CAcert's root certificate from here and save it in /etc/ssl/certs/cacert.crt.

Generate a server certificate request:

  openssl req -nodes -new -keyout private/server.key -out server.csr

Answer the questions that follow. For Common Name, enter your domain name.
Copy the contents of the server.csr file and paste it into the certificate request form on the CAcert web site.
Once you get the signed certificate back, save the contents to a file.

The same private key and certificate can be used for both Dovecot and Sendmail: simply copy the file.

The reason the certificates and the private keys have to be copies rather than either hard or symbolic links is because they need different groups and permissions.

The permissions, users, and groups of the relevant files in the /etc/ssl directory should be:

    drwxr-xr-x  root root    certs/
    -rw-r--r--  root root      cacert.crt
    -rw-r-----  root dovecot   dovecot.crt
    -rw-------  root root      sendmail.crt
    drwx------  root root    private/
    -rw-r-----  root dovecot   dovecot.key
    -rw-------  root root      sendmail.key

Importing the CA root certificate

If you are using either a self-signed or CAcert-signed server certificate, then mail clients will usually display a dialog box warning the user that the certificate was signed by an unknown certificate authority. To get rid of the warning, you can import the certificate.

In Mac OS X, certificates are stored centrally using keychains. To manipulate keychains, you use the Keychain Access application.

Using the Mac OS X 10.4 (Tiger) version of Keychain Access:

Launch Keychain Access.
From the File menu, select Import....
In the file selector, choose the CA root certificate file cacert.crt.
From the Keychain pop-up menu, select X509Anchors.
Select Open.
From the main certificate list, select CA Cert Signing Authority. (This is the CA root certificate you just imported.)
Scroll down to Trust Settings and click the little triangle.
From the When using this certificate pop-up menu, select Always Trust.
Close the window and quit Keychain Access.