My self-signed SSL certificates (for Postfix & Cyrus-IMAP) have just expired and so I'm faced with once again trying to decipher (heh) the multitude of instructions for setting this up. I still have my notes from a year ago but, though everything's been working fine (AFAIK), I'm not convinced that what I'm doing is correct. I've read many tutorials online but each one seems to confuse the issue further.
For one thing, before I'd even started, I'd found some cert files already existed. I believe they were set up by the Apache rpm. In any case, I just ignored them, as I'm not currently using SSL through Apache. I probably will want to use it in the future, however I don't at all understand how/why these already exist, as they couldn't possibly contain the correct information (commonName, organizationName, etc).
So, anyway ... I'd like to create new certs and, at the same time, clear out some of the deadwood under the /etc/pki tree and attempt to get all of this into proper order.
This is my current setup:
/etc/postfix/main.cnf: smtpd_tls_CAfile = /etc/pki/tls/certs/cacert.pem smtpd_tls_cert_file = /etc/pki/postfix/newcert.pem smtpd_tls_key_file = /etc/pki/postfix/newkey.pem
/etc/imapd.conf: tls_ca_file: /etc/pki/tls/certs/cacert.pem tls_cert_file: /etc/pki/cyrus-imapd/newcert.pem tls_key_file: /etc/pki/cyrus-imapd/newkey.pem
I have no idea what I was thinking when putting these in separate directories. I assume that's a redundancy I can do without.
/etc/httpd/conf.d/ssl.conf: SSLCertificateFile /etc/pki/tls/certs/localhost.crt SSLCertificateKeyFile /etc/pki/tls/private/localhost.key #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Here, localhost.crt and localhost.key were created by something other than myself. I have no idea what they're good for, if not self-signed. However, I'm guessing that I could probably create a cert/key.pem pair and use them for Postfix, Cyrus, and Apache. Note, though, that the httpd versions are not PEMs, so that's another source of confusion.
This is from my notes for Postfix/Cyrus:
-- snip -- # cd /etc/pki/tls/misc ./CA_noDES -newca [creates key file in /etc/pki/CA/private/cakey.pem]
./CA_noDES -newreq [creates newkey.pem & newreq.pem]
./CA_noDES -sign [creates /etc/pki/CA/cacert.pem]
ADD THE PRIVATE KEY # cat /etc/pki/CA/private/cakey.pem
copy this into: # vi /etc/pki/CA/cacert.pem
# cp /etc/pki/CA/cacert.pem /etc/pki/tls/certs/ -- snip --
Could/should I simply use the above instructions to create:
/etc/pki/tls/certs/localhost.crt.pem /etc/pki/tls/private/localhost.key.pem
... and use these for all 3 apps?
Also, I'm not really clear (surprise, surprise) on the purpose of the last line. Why should I copy cacert.pem from one directory to another? I understand that the CA dir is readbale only by root. However, by copying the file elsewhere, that security seems superfluous.