After reading how CloudFlare handles their PKI and that LetsEncrypt will use it I wanted to give CFSSL a shot.
Reading the project’s documentation doesn’t really help in building your own CA, but searching the Internet I found Fernando Barillas’ blog explaining how to create your own root certificate and how to create intermediate certificates from this.
I took it a step further I wrote a script generating new certificates for several services with different intermediates and possibly different configurations (e.g. depending on your distro and services certain cyphers (e.g. using ECC) may not be supported).
I also streamlined generating service specific key, cert and chain files. 😀
Have a look at the full Gist or just the most interesting part:
You’ll still have to deploy them yourself.
Fixed some issues with this Gist.
- Fixed a bug where intermediate CA certificates weren’t marked as CAs any more
- Updated the example CSRs and the script so it can now be run without errors
- Cleaned up
renew-certs.sh by extracting functions for generating root CA, intermediate CA and service keys.
So my IMAP server certificate expired today … so I needed to renew it. I use self-signed certificates for services I run myself.
First you need your config file. If you don’t have this you will be prompted to do so. (the Ubuntu Wiki has a nice introduction)
[ req ]
default_bits = 2048
encrypt_key = yes
distinguished_name = req_dn
x509_extensions = cert_type
prompt = no
[ req_dn ]
OU=Automatically-generated IMAP SSL key
[ cert_type ]
nsCertType = server
Then you generate the new certificate (expiring in 365 days) using the config file from above (imapd.cnf) and have it save it into imapd.pem.
openssl req -x509 -days 365 -nodes -newkey rsa:2048 -config imapd.cnf -keyout imapd.pem -out imapd.pem
Restart your service.
If you need to check the new key’s fingerprint you can get it with the following command.
openssl x509 -in imapd.pem -fingerprint