After reading how CloudFlare handles their PKI and that LetsEncrypt will use it I wanted to give CFSSL a shot.

Reading the project’s documentation doesn’t really help in building your own CA, but searching the Internet I found Fernando Barillas’ blog explaining how to create your own root certificate and how to create intermediate certificates from this.

I took it a step further I wrote a script generating new certificates for several services with different intermediates and possibly different configurations (e.g. depending on your distro and services certain cyphers (e.g. using ECC) may not be supported).
I also streamlined generating service specific key, cert and chain files. 😀

Have a look at the full Gist or just the most interesting part:

You’ll still have to deploy them yourself.

Update 2016-10-04:
Fixed some issues with this Gist.

  • Fixed a bug where intermediate CA certificates weren’t marked as CAs any more
  • Updated the example CSRs and the script so it can now be run without errors

Custom CAs everywhere

I recently finished introducing custom CA infrastructure in two instances. Each having two sub CAs, two Servers and a bunch of users. The “create your own CA” part was quite easy after I found  a dated but still accurate tutorial. In hindsight it is quite silly why I didn’t do this before.

On the server side I had to make it work on:

  • Apache
  • Nginx
  • Postfix
  • Cyrus
  • Dovecot

Each expecting its own Format/Packing of certificates, keys and certificate chains. :/

On the client side I had to produce installation and configuration howtos for Windows and OS X and a bunch of popular browsers and email clients. Then there is the “user education” part … this is still in progress, but its looking good.

All in all, I’m happy with the result. 🙂

Howto Renew Your SSL Certificates

So my IMAP server certificate expired today … so I needed to renew it. I use self-signed certificates for services I run myself.

First you need your config file. If you don’t have this you will be prompted to do so. (the Ubuntu Wiki has a nice introduction)

Then you generate the new certificate (expiring in 365 days) using the config file from above (imapd.cnf) and have it save it into imapd.pem.

Restart your service.

If you need to check the new key’s fingerprint you can get it with the following command.