ProblemYour organization has decided not to use a commercial CA and has asked you to create a private CA to sign and manage certificates for sendmail. SolutionSelect a directory in which to place the CA directory structure ( /etc/mail/certs is a common choice). Change to that directory and run the CA script provided with the OpenSSL distribution. Use the -newca command-line option of the CA script. [2] The script allows you to enter a certificate filename to work with an existing CA certificate. In this case, we are not working with an existing CA certificate, so just press the Return key to create a new CA. When prompted for a PEM passphrase, enter the password that will be required whenever the certificate authority is used to sign a certificate request. Finally, enter the distinguished name of the system that is acting as the CA. Here is an example:
# cd /etc/mail # mkdir certs # cd certs # /usr/share/ssl/misc/CA -newca CA certificate filename (or enter to create) Making CA certificate ... Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key ...............++++++ .............++++++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: SaytheSECRETword ! Verifying password - Enter PEM pass phrase: SaytheSECRETword ! ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]: US State or Province Name (full name) [Berkshire]: Maryland Locality Name (eg, city) [Newbury]: Gaithersburg Organization Name (eg, company) [My Company Ltd]: WroteTheBook Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: chef.wrotethebook.com Email Address []: craig@chef.wrotethebook.com The CA script creates a directory structure it calls demoCA , which contains the files needed for a private CA. Change the name demoCA to something that sounds less temporary, for example, to the directory name CA : # mv demoCA CA Change to the new directory structure. Tighten the security on the private directory, which holds the certificate authority's private key: # cd CA # chmod 0700 private Copy the openssl.cnf file to the CA directory. The copy will be used by the private CA when signing sendmail certificates. To distinguish it from the original openssl.cnf file, the copy is renamed sendmailssl.cnf when it is copied to the CA directory: # cp /usr/share/ssl/openssl.cnf sendmailssl.cnf Finally, edit the sendmailssl.cnf file to point to the newly created CA directory structure. Change the line: dir = ./demoCA # Where everything is kept to read: dir = /etc/mail/certs/CA # Where everything is kept The private CA can now be used to sign certificates as described in Recipe 8.3. DiscussionIt is not absolutely necessary to build a private CA just to create the certificates needed by STARTTLS. Introduction to this chapter describes alternative ways to obtain signed certificates. This recipe should not be taken as a recommendation for creating a private CA. It is incorporated as a recipe in this chapter because building a private CA is the most complex method of signing certificates, and thus it is the method most in need of a recipe to explain how it is done. Before you decide to build a private CA, evaluate the alternatives to make sure you choose the approach that is most suitable for your situation. The complexity of creating a private CA is substantially reduced by the CA script provided with the OpenSSL distribution. The CA script accepts several different command-line arguments, but the one that is most useful for a sendmail system is the -newca option. -newca causes the script to create the directory structure and files needed by a CA. It also causes the script to build the private key and the certificate that will be used by the CA. An ls of the directory created by the CA script shows the following: # ls cacert.pem certs crl index.txt newcerts private serial # ls private cakey.pem The directory created by the CA script contains three files:
The private key associated with the CA certificate is stored in the private subdirectory and is named cakey.pem , as the second ls command in the example shows. The private key is kept safe on the CA. It is never distributed to, or used on, any other system. The cakey.pem file is encrypted and can only be used by someone who knows the PEM passphrase provided to the CA script when the cakey.pem file was created. In the example in the Solution section, the PEM passphrase is SaytheSECRETword! . The passphrase is required in Recipe 8.3 when the CA is used to sign certificates. In addition to the files just described, the directory created by the CA script contains four subdirectories:
This recipe recommends adding a copy of openssl.cnf to the files and directories created by the CA script. The openssl.cnf configuration file is read by openssl every time it is executed. openssl is used to create and sign certificates, and it will be used in subsequent recipes in this chapter. To simplify customizing the OpenSSL configuration for sendmail certificate management, and to avoid any possibility of interfering with the OpenSSL configuration used by the web site administrator, we copy openssl.cnf to sendmailssl.cnf . The new name is intended to make it clear that this configuration is used only by the sendmail CA. We then edit the sendmailssl.cnf file to point to /etc/mail/certs/CA as the directory used by the default CA. This recipe assumes that the private CA is being used exclusively for sendmail certificate management. Because this CA is used exclusively for sendmail, it makes sense to create a sendmail-specific OpenSSL configuration. Recipe 8.3 uses the newly created sendmailssl.cnf file. See AlsoRecipe 8.2 and Recipe 8.3 are both directly related to this recipe. Introduction to this chapter contains important information about certificates and certificate authorities. The sendmail book discusses certificates in Section 10.10.2. The config manpage provides information on the openssl.cnf file. Network Security with OpenSSL , by Viega, Messier, and Chandra (O'Reilly), provides information about certificates, certificate authorities, and certificate revocation lists. |