Last active
September 22, 2023 17:49
-
-
Save volure/8cde09610d3df08bd382 to your computer and use it in GitHub Desktop.
Create a Self Signed Postfix Certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # copied from https://www.e-rave.nl/create-a-self-signed-ssl-key-for-postfix | |
| openssl genrsa -des3 -out mail.domain.tld.key 2048 | |
| chmod 600 mail.domain.tld.key | |
| openssl req -new -key mail.domain.tld.key -out mail.domain.tld.csr | |
| openssl x509 -req -days 365 -in mail.domain.tld.csr -signkey mail.domain.tld.key -out mail.domain.tld.crt | |
| openssl rsa -in mail.domain.tld.key -out mail.domain.tld.key.nopass | |
| mv mail.domain.tld.key.nopass mail.domain.tld.key | |
| openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650 | |
| chmod 600 mail.domain.tld.key | |
| chmod 600 cakey.pem | |
| mv mail.domain.tld.key /etc/ssl/private/ | |
| mv mail.domain.tld.crt /etc/ssl/certs/ | |
| mv cakey.pem /etc/ssl/private/ | |
| mv cacert.pem /etc/ssl/certs/ | |
| postconf -e 'smtpd_tls_auth_only = no' | |
| postconf -e 'smtp_use_tls = yes' | |
| postconf -e 'smtpd_use_tls = yes' | |
| postconf -e 'smtp_tls_note_starttls_offer = yes' | |
| postconf -e 'smtpd_tls_key_file = /etc/ssl/private/mail.domain.tld.key' | |
| postconf -e 'smtpd_tls_cert_file = /etc/ssl/certs/mail.domain.tld.crt' | |
| postconf -e 'smtpd_tls_CAfile = /etc/ssl/certs/cacert.pem' | |
| postconf -e 'smtpd_tls_loglevel = 1' | |
| postconf -e 'smtpd_tls_received_header = yes' | |
| postconf -e 'smtpd_tls_session_cache_timeout = 3600s' | |
| postconf -e 'tls_random_source = dev:/dev/urandom' | |
| postconf -e 'myhostname = mail.example.com' |
For non-interactive, use below
Note: 1111 is a key used, change and use as per your liking.
hostname=$(hostname)
mkdir -p /etc/configs/ssl/$hostname
openssl genrsa -des3 --passout pass:1111 -out $hostname.key 2048
openssl req -new -passin pass:1111 -key $hostname.key -subj "/C=GB/ST=London/L=London/O=Endurance Control Panel/OU=IT Department/CN=$hostname" -out $hostname.csr
openssl x509 -req --passin pass:1111 -days 365 -in $hostname.csr -signkey $hostname.key -out $hostname.cer
openssl rsa --passin pass:1111 -in $hostname.key -out $hostname.key.nopass
mv -f $hostname.key.nopass $hostname.key
openssl req -new -x509 -extensions v3_ca -passout pass:1111 -subj "/C=GB/ST=London/L=London/O=Endurance Control Panel/OU=IT Department/CN=$hostname" -keyout cakey.pem -out cacert.pem -days 3650
chmod 600 $hostname.key
chmod 600 cakey.pem
mv $hostname.key /etc/configs/ssl/$hostname
mv $hostname.cer /etc/configs/ssl/$hostname
mv cakey.pem /etc/configs/ssl/$hostname
mv cacert.pem /etc/configs/ssl/$hostname
Team,
thanks for the above steps, following them I've created the local self-signed CA. But while trying to verify the external client's certificates against the created CA, I'm getting cacert.pem verification failed error. Does anyone know how to resolve the error and proceed further?
Below is the error.
openssl verify cacert.pem cert.pem chain.pem
C = xxxx, ST = xxxx, L = Default City, O = xxxxx
error 18 at 0 depth lookup: self signed certificate
error cacert.pem: verification failed
cert.pem: OK
chain.pem: OK
Thanks,
Krishna
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
thanks 👍