Quick OpenSSL how to

dai · 07-28-2003, 10:23 AM

Okay Ive seen several people posting here about problems with OpenSSL, so I just thought Id post a quick 3 step process that can be followed through by all when thier creating a self-signed Certificate: -

==============================================
1. Creating RSA Private Key using random bit pattern (-des3 adds a tripled des encrypted password of your choice to protect private key).

#openssl genrsa –des3 -rand /dev/urandom -out private.key

2. Creating a Certificate Signing Request (csr), if you want you can send this to a CA to get it signed or move to step 3 and sign it yourself.

#openssl req -new -key private.key -out public.csr

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: wherever
Locality Name (eg, city) []:Sesame street
Organization Name (eg, company) [Internet Widgits Pty Ltd]: company name
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: whatever.com (Must match the DNS name of Web server to avoid problems)
Email Address []: somebody@somewhere.com

3. Creating a self signed x509 Certificate based on Private Key and csr
#openssl x509 -req -days 1095 -in public.csr -signkey private.key -out public.cert
==============================================

I know this is a relatively quick explanation but it should help anyone who wants to use OpenSSL to create an RSA based public/private Key pair.

Please let me know if there are any errors, or if its of assistance to you.

Dai

markstevens · 07-28-2003, 03:56 PM

I followed this exactly.

Set my sendmail.mc to

define(`confCACERT_PATH',`/usr/share/ssl/mycert')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/mycert/mycert.cert')
define(`confSERVER_KEY',`/usr/share/ssl/mycert/mycert.key')
define(`confCLIENT_CERT',`/usr/share/ssl/mycert/mycert.cert')
define(`confCLIENT_KEY',`/usr/share/ssl/mycert/mycert.key')

And when I check my mail with Eudora 5.1 I get
Server does not support SSL.

Where do I start to fix this? I am going to look at the logs now to see if I notice anything since that is what everyone says to do... but I am not sure what I am looking for.

Thanks

dai · 07-28-2003, 04:04 PM

Firstly, as youre using the certificates I am assuming that the process outlined worked for you????

With regards to the SSL not supported poblem Im not sure really what to say as Ive not tried to use SSL with a mail server. As you said the best thing to do is check the logs etc...

It seems from the error your providing that the certificate and Private Key are working fine but theres a problem with the setup of the Sendmail server, Im just guessing here so bear wih me (Never really worked with Sendmail yet

). Is it possible that you need to carry out further configuration to support SSL??????

For example with Apache 1.3 you need mod_ssl to communicate with OpenSSL. Is it possible that you need something similar for Sendmail???? Also I dont think you need to specify a server certificate only a client certificate. Also only the server needs to know where the private key is not the client.

Again sorry I cant be anymore help but Ive not really worked with Sendmail.

Hope to have helped (some what)

Dai

markstevens · 07-28-2003, 04:26 PM

Yes once I let go and just followed you steps without fear the instructions worked fine.

Actually that much I had managed but using the MAKE that comes with Redhat in openssl.

I am not sure about the additional configs for sendmail but I will look. I will try cutting out the server side config and see if that helps.

Thanks for trying...

dai · 07-28-2003, 04:28 PM

no problem, if it still doesent work just post back perhaps I can help by offerring a different perspective, or perhaps some other kind person who knows more about Sendmail than me could help

markstevens · 07-28-2003, 04:37 PM

Well I found the line in sendmail...

DAEMON_OPTIONS(`Port=smtps, Name=TLSMTA, M=s')dnl

but now I get:
Error reading from network Cause: Connection closed by foreign host. (0)

Back to the log I guess.

nothing in 'messages' and nothing in 'maillog'

dai · 07-28-2003, 04:41 PM

Well at least youre getting some where

WHy dont you try googling for some information on how to setup Sendmail using SSL that may help with the configuration problems youre getting.

Post back with how the problem is progressing, hopefully you will be able to use the SSL connection soon.

Dai

dai · 07-28-2003, 04:45 PM

Try this, it might help get the SSL connection working

http://www.ofb.net/~jheiss/sendmail/tlsandrelay.shtml

markstevens · 07-29-2003, 08:45 AM

Thanks for the link. I am working that angle right now. Would be nice to have a test server. Phone keeps ringing everytime I try a new config.

I'll keep posting results. I seem to be the worst case scenerio so if I can get it going anyone can.

dai · 07-29-2003, 08:58 AM

Glad to be able to help

I can help with the phone aswell, try taking it off the hook

markstevens · 07-29-2003, 10:10 AM

How can I tell if my version of sendmail is complied with SSL support? I am using the out of the box redhat 9 professional build of sendmail only making changes to the sendmail.mc file.

For some reason I am still getting the error. It is driving me nuts.

I have tried time and again creating new certs and keys over and over again. Nothing seems to work...

dai · 07-29-2003, 10:14 AM

All I can suggest is get a sorce code copy of sendmail and compile it yourself with support for SSL then try it again.

From the error youre getting (Server does not Support SSL) it would indicate SSL support is not included in the pre-built copy you are using.

markstevens · 07-29-2003, 11:35 AM

working on doing it all one more time by scratch....

but when I do:

openssl ca -config openssl.cnf -policy policy_anything -out newcert.pem -infiles tmp.pem

while in /etc/mail/certs/CA and etc/mail/certs/CA/private/cakey.pem does exist

I get:
Error opening CA private key ./CA/private/cakey.pem

In the openssl.cnf file it lists the directory for everything as ./CA

What does the ./ do?

Anyway... I think if I can get past this glitch I can get this to work...

dai · 07-29-2003, 11:43 AM

it just means from the directory that is specified as the default location of the certificate e.g. /ssl/key that ./CA/keyname.Pem is not found or full path /ssl/key/CA/keyname.key isnt found.

Possibly got the wrong path of where key is stored

markstevens · 07-29-2003, 12:13 PM

pwd reveals /etc/mail/certs/CA/private
ls reveals cakey.pem

so /etc/mail/certs/CA/private/cakey.pem

in /etc/mail/certs/CA/openssl.cnf

----snip----
[ CA_default ]
dir = ./CA #where everything is kept
----snip----
private_key = $dir/private/cakey.pem #The private key
----snip----

grrr.... what am I missing... must be something so simple...

Here is the whole [ CA_default ]

####################################################################
[ ca ]
default_ca = CA_default # The default ca section

####################################################################
[ CA_default ]

dir = ./CA # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.

certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file

x509_extensions = usr_cert # The extentions to add to the cert