Creating a Cacert postfix certificate
February 03, 2008 at 06:58 PM | categories: Postfix, SSL, Security, Linux | View CommentsIntroduction
Cacert is a certification authority that provides free certificates, i guess using them is much better that having your own local CA.
Install root certificate
We need to download the cacert root certificate and install it on the server
Download and install
mkdir /etc/pki/postfix
wget -nv https://www.cacert.org/certs/root.crt --no-check-certificate -O /etc/pki/postfix/root.crt
Verify the certificate
openssl x509 -in /etc/pki/postfix/root.crt -text -noout
The output should look like this
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
Not Before: Mar 30 12:29:49 2003 GMT
Not After : Mar 29 12:29:49 2033 GMT
Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
e5:a1:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
X509v3 Authority Key Identifier:
keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
serial:00
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
URI:https://www.cacert.org/revoke.crl
Netscape CA Revocation Url:
https://www.cacert.org/revoke.crl
Netscape CA Policy Url:
http://www.cacert.org/index.php?id=10
Netscape Comment:
To get your own certificate for FREE head over to http://www.cacert.org
Signature Algorithm: md5WithRSAEncryption
28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a:
99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a:
ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67:
58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03:
68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d:
5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c:
9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98:
70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82:
bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2:
bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6:
c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63:
c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01:
37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70:
f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54:
f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63:
b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48:
25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06:
77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37:
68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a:
10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5:
2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67:
b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60:
e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf:
6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce:
4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6:
ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f:
70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1:
35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93:
da:76:ad:25:73:4c:c5:43
Generate signing request
cd /etc/pki/postfix
openssl req -nodes -days 700 -newkey rsa:1024 -keyout key.pem -out req.pem
The signing request is in the file req.pem
Get the signed certificate
Next you need to login in to the cacert.org website and go to "server certificates" then "New" and paste the contents of req.pem in the text box provided then click submit. A certificate will be generated
Install certificate
Copy the certificate and paste into the file /etc/pki/postfix/server.pem
blog comments powered by Disqus
About
I am a Sysadmin and programmer, passionate about Open source software A few notable projects i am associated with are:
Contact
topdog at fedoraproject.organdrew at topdog.za.net
Follow me on Twitter
Latest blog posts
Categories
- Book review (rss) (10)
- CCSP (rss) (1)
- Centos (rss) (16)
- Certification (rss) (1)
- Cisco (rss) (1)
- CouchDB (rss) (1)
- Cyrus (rss) (2)
- DHCP (rss) (2)
- DKIM (rss) (2)
- DLNA (rss) (2)
- DNS (rss) (2)
- Domainkeys (rss) (1)
- Email (rss) (11)
- Exim (rss) (7)
- Fedora (rss) (1)
- Horde (rss) (2)
- Howto (rss) (29)
- IPSEC (rss) (6)
- IPv6 (rss) (1)
- Kickstart (rss) (1)
- Links (rss) (2)
- Linux (rss) (25)
- Mac OS X (rss) (6)
- Markdown (rss) (1)
- Mediaplayer (rss) (2)
- PHP (rss) (1)
- PS3 (rss) (2)
- Postfix (rss) (6)
- Projects (rss) (1)
- PyMYSK (rss) (14)
- Python (rss) (19)
- RHEL (rss) (7)
- SSL (rss) (2)
- Security (rss) (13)
- Sysadmin (rss) (16)
- Tips (rss) (28)
- Ubuntu (rss) (2)
- Unix (rss) (4)
Archives
- February 2014 (1)
- December 2013 (1)
- September 2013 (1)
- March 2013 (1)
- February 2013 (2)
- January 2013 (4)
- November 2012 (3)
- October 2012 (2)
- September 2012 (5)
- August 2012 (7)
- July 2012 (1)
- June 2012 (2)
- May 2012 (9)
- April 2012 (17)
- March 2012 (4)
- August 2010 (1)
- March 2009 (4)
- January 2009 (2)
- August 2008 (1)
- June 2008 (1)
- March 2008 (1)
- February 2008 (2)
- January 2008 (1)
