This is an old revision of the document!
Informationen über die minad.de SSL-Zertifkikate
minad.de hat - wie jeder ordentliche Server SSL-Zertifikate um SSL-Gesicherten Datenaustausch zu ermöglichen. Zur Zeit verwenden wir selbstsignierte Zertifikate, d.h wir haben eine eigene CA, die die minad.de Zertifikate bestätigt.
Import des CA-Zertifikats
Um den Warnungen über das “Unbekannte Zertifikat” aus dem Weg zu gehen, muss man dem CA-Zertifikat vertrauen. Das macht man in dem man Das CA-Zertifikat herunterläd (MD5: bbe87ea5d86c7b3764973a8c88583aa7) und im Betriebssystem importiert
Linux
certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n minad -i cacert.pem
Windows
- Start → Ausführen → “mmc”
- Datei → Snap-In hinzufügen → Hinzufügen…
- Zertifikate in der Liste auswählen → “Eigener Benutzer” → Ok
- Doppelklick auf Zertifikate → Rechtsklick auf “Vertrauenswürdige Stammzertifikatstellen” → Alle Aufgaben → Importieren
- Das “cacert.pem” auswählen → Weiter…
Und schon sollte das Zertifikat importiert sein. Ein Kinderspiel, quasi!
Android
Android erwartet ein anderes Zertifikatsformat, das man mit
openssl x509 -inform PEM -outform DER -in cacert.pem -out minad_cacert.crt
Umwandeln könnte. Das wurde allerding schon erledigt und kann hier komfortabel heruntergeladen werden. ( MD5SUM: e0413923296663efd62b6a0aa48582d7 minad_cacert.crt )
Danach - je nach Version - in den “Einstellungen” über “Sicherheit” auf “Von Speicher installieren” wählen.
Verwendung der Zertifikate auf dem Server
Die Zertifikate liegen im Verzeichnis /etc/ssl/minad_selfsigned_v3/. Darin gibt es:
- minad.de-cert.pem
- minad.de-key.pem
- minad.de-chained-nopw.pem
Das -cert ist das x509 Zertifikat. Das -key ist der Passwortverschlüsselte key. Unter Chained ist erst der nicht mit Passwort versehene Key, und dann das Zertifikat abgelegt. Letzeres ist die von den Serverdiensten verwendete Datei, da sonst bei jedem Neustart das Passwort eingegeben werden müsste.
lighttpd
- /etc/lighttpd/lighttpd.conf
$SERVER["socket"] == ":443" { ssl.engine = "enable" ssl.pemfile = "/etc/ssl/minad_selfsigned_v3/minad.de-chained-nopw.pem" ssl.ca-file = "/etc/ssl/minad_selfsigned_v3/cacert.pem" ssl.cipher-list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-$ ssl.dh-file = "/etc/ssl/minad.de_selfsigned/dh2048.pem" ssl.ec-curve = "secp384r1" ssl.honor-cipher-order = "enable" }
Postfix/dovecot
- /etc/postfix/main.cf
# we wannt secure connections smtpd_tls_security_level = may smtpd_tls_auth_only = yes #new certs minad_selfsigned_v3 25.04 smtpd_tls_cert_file = /etc/ssl/minad_selfsigned_v3/minad.de-chained-nopw.pem smtpd_tls_key_file = $smtpd_tls_cert_file #we want high encryption #smtpd_tls_mandatory_ciphers = high smtpd_tls_mandatory_exclude_ciphers = aNULL, MD5 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 #ecliptic curve crypto? we has it smtpd_tls_dh1024_param_file = /etc/postfix/dh_1024.pem smtpd_tls_dh512_param_file = /etc/postfix/dh_512.pem smtpd_tls_eecdh_grade = strong # outgoing mails shall also use tls smtp_tls_security_level = may smtp_tls_loglevel = 1
- /etc/dovecot/conf.d/10-ssl.conf
## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf ssl_cert = </etc/ssl/minad_selfsigned_v3/minad.de-chained-nopw.pem ssl_key = </etc/ssl/minad_selfsigned_v3/minad.de-chained-nopw.pem
Erstellen der CA und der Zertifikate
- -
minad minad_selfsigned_v3 # /etc/ssl/misc/CA.pl -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 8192 bit RSA private key .......................................................................................................................................................................++ .......................................................................................................................................................................................................................++ writing new private key to './demoCA/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Bavaria]: Locality Name (eg, city) []: Organization Name (eg, company) [minad]: Organizational Unit Name (eg, section) []: first Common Name (eg, YOUR name) [minad.de]: Email Address [root@minad.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/cakey.pem: Check that the request matches the signature Signature ok Certificate Details: Serial Number: 14186275591684022291 (0xc4dfc67d101ee013) Validity Not Before: Apr 25 09:10:49 2014 GMT Not After : Apr 22 09:10:49 2024 GMT Subject: countryName = DE stateOrProvinceName = Bavaria organizationName = minad commonName = minad.de emailAddress = root@minad.de X509v3 extensions: X509v3 Subject Key Identifier: 29:9E:B7:29:CB:7F:2A:A6:5F:A7:B6:D4:12:89:37:2D:EA:23:73:B8 X509v3 Authority Key Identifier: keyid:29:9E:B7:29:CB:7F:2A:A6:5F:A7:B6:D4:12:89:37:2D:EA:23:73:B8 X509v3 Basic Constraints: CA:TRUE Certificate is to be certified until Apr 22 09:10:49 2024 GMT (3650 days) Write out database with 1 new entries Data Base Updated minad minad_selfsigned_v3 # /etc/ssl/misc/CA.pl -newreq Generating a 8192 bit RSA private key .................................++ ...........................................................................................................................................................................................................................................................................................................++ writing new private key to 'newkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]:DE State or Province Name (full name) [Bavaria]: Locality Name (eg, city) []: Organization Name (eg, company) [minad]: Organizational Unit Name (eg, section) []: first Common Name (eg, YOUR name) [minad.de]: Email Address [root@minad.de]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Request is in newreq.pem, private key is in newkey.pem minad minad_selfsigned_v3 # rm newreq.pem minad minad_selfsigned_v3 # mv newkey.pem minad.de-key.pem minad minad_selfsigned_v3 # mv newcert.pem minad.de-cert.pem minad minad_selfsigned_v3 # openssl rsa -in minad.de-key.pem -out minad.de-chained-nopw.pem Enter pass phrase for minad.de-key.pem: writing RSA key minad minad_selfsigned_v3 # openssl x509 -in minad.de-cert.pem >> minad.de-chained-nopw.pem minad minad_selfsigned_v3 # ln -sv demoCA/cacert.pem ./