Recipe 8.2 Creating a Certificate Request

Problem

You must create a certificate request before the CA can sign it, and thus provide you with a signed certificate.

Solution

On the sendmail host, create a directory to hold the certificate and private key. Here is an example:

 #  cd /etc/mail  #  mkdir certs  

Change to the new directory. Use the openssl req command to create an unsigned X.509 certificate and a private key. When prompted for the distinguished name , enter the DN of the sendmail host for which the certificate is being created. In this example we create a certificate for crab.wrotethebook.com :

 #  cd /etc/mail/certs  #  umask 0066  #  openssl req -nodes -new -x509 -keyout key.pem -out newcert.pem  Using configuration from /usr/share/ssl/openssl.cnf Generating a 1024 bit RSA private key .++++++ ...................++++++ writing new private key to 'key.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:  US  State or Province Name (full name) [Berkshire]:  Maryland  Locality Name (eg, city) [Newbury]:  Gaithersburg  Organization Name (eg, company) [My Company Ltd]:  WroteTheBook  Organizational Unit Name (eg, section) []: Common Name (eg, your name or the server's name) []:  crab.wrotethebook.com  Email Address []:  admin@wrotethebook.com  

Next, use openssl x509 to generate a certificate signing request from the certificate and key pair created above. The newcert.pem file created above is a temporary file that can be removed after the CSR is created:

 #  openssl x509 -x509toreq -in newcert.pem -signkey key.pem -out csr.pem  Getting request Private Key Generating certificate request #  rm -f newcert.pem  

Send the CSR, csr.pem in this example, to the CA. The CA signs the sendmail host's certificate request. Recipe 8.3 shows how this is done using the private CA created in Recipe 8.1.

The CA returns a signed certificate to the sendmail host, along with a copy of the CA's certificate. On the sendmail host, place the sendmail host's signed certificate and the CA's certificate in the certificate directory created in the first step. Create a symbolic link to a hash of the CA's certificate using the following command:

 ln -s   ca_filename   `openssl x509 -noout -hash <   ca_filename   `.0 

In the command above, replace ca_filename with the filename of the CA's certificate. sendmail uses the hash created by this command for certificate verification. Run this command, replacing ca_filename with the name of the new CA certificate file, every time a CA certificate is added to the directory identified by the confCACERT_PATH define. Recipe 8.4 discusses the confCACERT_PATH define.

Discussion

Most of the work in this recipe is done on the sendmail host. However, it doesn't have to be. All of the files necessary to request a signed certificate for crab.wrotethebook.com can be generated on any system that has OpenSSL installed. The advantage of creating the CSR on the sendmail host is that the private key is created there and never has to leave the system, making it easier to maintain private key security. The disadvantage is that the administrator of crab.wrotethebook.com needs to use the complex openssl commands to build the CSR. Many sites prefer to have one CA administrator who creates the certificate and key for each sendmail host on the CA server and then distributes the signed files to the sendmail systems. The approach you use is mostly a matter of organizational style.

The only thing that must be created on the sendmail host is the directory that will hold the certificate and the private key. The name of this directory, the name of the certificate file, the name of the key file, and the name of the CA certificate file, are all important values used to configure sendmail for STARTTLS, as can be seen in Recipe 8.4.

The openssl req command in the Solution section creates a new, self-signed X.509 certificate ( -new -x509 ). The certificate is written to a file named newcert.pem ( -out newcert.pem ). The private key associated with the certificate is stored in a file named key.pem ( -keyout key.pem ). The key.pem file is not encrypted with DES ( -nodes ). This is important. If the private key is accidentally placed in an encrypted file, the sendmail administrator is prompted for the password to decrypt the file every time sendmail needs to access the private key. This could cause the sendmail system to hang during the boot process until the password is entered.

The openssl x509 command processes an X.509 certificate. In this case, the command converts an X.509 certificate to a certificate request ( -x509toreq ). The certificate that is being converted is the newcert.pem file created in the first step ( -in newcert.pem -signkey key.pem ). The CSR is written to a file named csr.pem ( -out csr.pem ).

The CSR file is sent to the CA. The CA uses that file as input to the signature process and returns another file, which is the signed certificate. Often, one file is sent to the CA and one is returned. The Solution section, however, also mentions a second file ”the CA's certificate. This certificate may not be sent from the CA as part of the signature process. There may be some other means for obtaining that file. Regardless of how the CA certificate is obtained, a hash should be made from the CA certificate as shown in the last step of the Solution. sendmail uses the hash during certificate verification.

See Also

Recipe 8.3 covers signing the certificate request created in this recipe.