Recipe 8.3 Signing a Certificate Request

Problem

When you operate a private CA for sendmail, you are responsible for signing the certificate requests of the sendmail hosts .

Solution

On the CA, use the openssl ca command to sign the certificate signing request provided by the sendmail host. When prompted for the PEM passphrase, enter the password created for the private CA. Answer "yes" to the two questions, and the certificate is signed. Here is an example in which the CSR created in Recipe 8.2 is signed on the CA created in Recipe 8.1:

 #  openssl ca -config ./sendmailssl.cnf -policy policy_anything -out cert.pem -infiles csr.pem  Using configuration from ./sendmailssl.cnf Enter PEM pass phrase:  SaytheSECRETword   !  Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName           :PRINTABLE:'US' stateOrProvinceName   :PRINTABLE:'Maryland' localityName          :PRINTABLE:'Gaithersburg' organizationName      :PRINTABLE:'WroteTheBook' commonName            :PRINTABLE:'crab.wrotethebook.com' emailAddress          :IA5STRING:'admin@wrotethebook.com' Certificate is to be certified until Jan 27 19:50:16 2004 GMT (365 days) Sign the certificate? [y/n]:  y  1 out of 1 certificate requests certified, commit? [y/n]  y  Write out database with 1 new entries Data Base Updated 

The CSR sent from the sendmail system is an intermediate file that is no longer needed. Delete the unneeded file:

 #  rm -f csr.pem  

Send the signed certificate to the sendmail host. In this example, we send the file cert.pem to the sendmail host. We named the certificate file cert.pem because it is a neutral name well suited to textbook examples. However, the certificate filename is whatever you choose to make it, and it should be something descriptive. For example, the certificate was signed for the host crab.wrotethebook.com so we could have given it the name crab.wrotethebook.com.cert.pem .

Also, send the sendmail host a copy of the CA's certificate. Assuming that this is the CA created in Recipe 8.1, the CA certificate file sent to the sendmail host would be cacert.pem .

Discussion

The openssl ca command is used to sign certificates. In the Solution section, the openssl command signs the csr.pem file from Recipe 8.2 ( -infiles csr.pem ), producing a signed certificate in a file named cert.pem ( -out cert.pem ).

This openssl command references the special OpenSSL configuration file ( -config ./sendmailssl.cnf ) that was created in Recipe 8.1 for the private sendmail CA. If the configuration file is not identified on the command line using the -config option, the openssl command uses the openssl.cnf file. The OpenSSL file provides default values used when creating and signing certificates; it defines the pathnames of the files and directories required by a CA, and it defines the certificate signing policies. By default, the openssl.cnf file, and the sendmailssl.cnf file that Recipe 8.1 created from it, contain two signature policies:

policy_match

Signature policies define what information must be provided by the DN of the subject before a certificate will be accepted for signing. policy_match requires that a common name be provided. Additionally, it requires that country, state, and organization names be provided, and that these names match the country, state, and organization names used in the certificate of the CA. It makes the organizational unit name and the email address optional. policy_match is the default if no -policy argument is provided on the openssl ca command line.

policy_anything

This policy requires that a common name be provided. It makes all other DN fields optional.

This recipe uses -policy policy_anything , which is commonly used when signing sendmail certificates. After all, the administrator is shown the DN and asked whether or not the certificate should be signed. If the administrator deems that the DN does not contain enough information for email security, the administrator can refuse to sign the certificate. However, in this specific example, policy_match could have been used and it would have worked. Remember, this is a private CA. We know that the country, state, and organization names used in the DN of the CA match the values in the DN of the server. Yet, policy_anything makes a better example because it is more flexible and deals with a larger variety of configurations. Most sendmail administrators use policy_anything and that is why it is included in this recipe.

After signing the certificate request, the CSR ( csr.pem ) is deleted. The certificate cert.pem is sent to crab.wrotethebook.com along with the CA's certificate cacert.pem . The sendmail host will reference both of these certificates in the STARTTLS configuration.

See Also

Recipe 8.1 covers creating the private CA used to sign the certificate in this recipe. Recipe 8.2 creates the certificate request signed in this example. Introduction to this chapter contains important information about certificates and certificate authorities. The sendmail book discusses certificates in Section 10.10.2. The config manpage provides information on the openssl.cnf file. The req manpage documents the openssl req command. The x509 manpage documents the openssl x509 command, and the ca manpage covers the openssl ca command. TCP/IP Network Administration , Third Edition, by Craig Hunt (O'Reilly), provides examples of using openssl commands in Chapter 11. Network Security with OpenSSL , by Viega, Messier, and Chandra (O'Reilly), provides information about certificates, certificate authorities, openssl.cnf, and the openssl command.