CentOS - Mail Server - Secure Connection, Creating the SSL Certificate

The previous article looked at Saslauthd. Now let's concentrate on the SSL certificate we'll use for secure connections to our mail server.

The principles involved are the same ones we employed when setting up a secure website (HTTPS). The first step is the creation of a new SSL certificate.


Self signed

Note that we will be creating a self signed certificate which will produce a warning from your mail client (Mail, Thunderbird, Outlook, etc).

However, it will be fine if you are the only user of the mail server. You will need to purchase a valid certificate if other people or clients are using it as well.

Crypto-Utils

To generate the certificate we'll use the 'genkey' command. This command is part of the crypto-utils package and can be installed as follows:

sudo yum install crypto-utils

Good.

Create

Now we can create the certificate key pair:

sudo genkey --days 3650 mail.demoslice.com

To ensure that our SSL certificate won't expire anytime soon, you can see that we used 3650 as the amount of days the certificate will remain valid.

An on screen prompt will appear which states where our finished key and certificate files will be stored.

Generate Key Pair 1

Select the Next option and hit the ENTER/RETURN key to move to the next screen, where we will choose the key size. Let's stick with the default of 1024 bits of encryption.

After selecting next, we will see a loading screen while the key is being generating. Please note it may take some time before the key is fully generated.

Generate Key Pair 2

We are not going to send a Certificate Signing Request (CSR) to a Certificate Authority (CA) so select No when asked.

You will then be asked a series of questions needed to complete the details of the certificate.

My answers are as follows:

Generate Key Pair 3

Note is is important the Hostname matches the mail server hostname. In this case it's mail.demoslice.com.

Finally, we have the option to encrypt your private key. We want to skip this section as setting a passphrase on our certificate will require us to enter this passphrase every time the mail server is restarted, which is not very practical.

Done.

Certificate

The self-signed certificate key pair should now be found in the locations we noted earlier:

/etc/pki/tls/certs/mail.demoslice.com.cert
/etc/pki/tls/private/mail.demoslice.com.key

We will need these details when configuring Postfix for use with our secure connections.

Summary

Using secure connections is an important part of running a mail server. Creating a self-signed certificate is an easy process when combined with the genkey command, but it does produce a warning when used.

You will need to purchase a certificate if you plan to host other people's mail or have other people accessing the mail server.

The next article looks at configuring Postfix to utilize our certificate for secure connections.

Article Comments:

irfan commented Fri Dec 17 02:17:22 UTC 2010:

sorry i want certificate buy but where?

Tony commented Wed Oct 05 20:42:29 UTC 2011:

Like ifran I'd love to know the process for buying and applying a certificate from a CA.

I want to put together a IMAP server for myself but realise that ultimately there will be others using it in future if my experience goes well; might as well do it properly from the outset :)

Quan Lee commented Thu May 16 23:44:14 UTC 2013:

ty for such an informational post, i m hooked up to your blog from now on.

Want to comment?


(not made public)

(optional)

(use plain text or Markdown syntax)