How to generate custom self-signed SSL certificates and apply it to Postfix

Created:

2016-11-16 13:14:04 UTC

Modified:

2017-04-25 13:17:58 UTC

8

Was this article helpful?


Have more questions?

Submit a request

How to generate custom self-signed SSL certificates and apply it to Postfix

Applicable to:

  • Plesk for Linux
  • Plesk 11.0 for Linux
  • Plesk 11.5 for Linux
  • Plesk 12.0 for Linux

Question

How to generate custom self-signed SSL certificates and apply it to Postfix?

Answer

  1. Create a root private key:

    # openssl genrsa -out rootCA.key 2048
  2. Change permissions of this private key to 400:

    # chmod 400 /usr/share/ssl/certs/postfix/rootCA.key
  3. Create self-singed root certificate:

    # openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem

    With the following data (change information to required):

    Country Name (2 letter code) [AU]:XX
    State or Province Name (full name) [Some-State]:SomeState
    Locality Name (eg, city) []:SomeCity
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Company Co
    Organizational Unit Name (eg, section) []:Company Co
    Common Name (e.g. server FQDN or YOUR name) []:example.com
    Email Address []:admin@example.com
  4. Create private key for final certificate:

    # openssl genrsa -out device.key 2048
  5. Create certificate sign request:

    # openssl req -new -key device.key -out device.csr
  6. And finally create server certificate based on root CA certificate and root private key:

    # openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days 500
  7. Change Postfix configuration /etc/postfix/main.cf to use the newly created certificates:

    #smtpd_tls_key_file = /etc/postfix/postfix_default.pem
    #smtpd_tls_cert_file = /etc/postfix/postfix_default.pem
    #smtpd_tls_CAfile = /etc/postfix/postfix_default.pem
    smtpd_tls_key_file = /usr/share/ssl/certs/postfix/device.key
    smtpd_tls_cert_file = /usr/share/ssl/certs/postfix/device.crt
    smtpd_tls_CAfile = /usr/share/ssl/certs/postfix/rootCA.pem
  8. Restart postfix service:

    [root@centos ~]# service postfix restart
    Shutting down postfix: [ OK ]
    Starting postfix: [ OK ]

All newly generated files should be created in folder /usr/share/ssl/certs/postfix/ (you could change folder, but paths in Postfix configuration have to be changed too).

After these steps, Postfix will work with the new certificates:

[root@centos ~]# openssl s_client -crlf -connect localhost:465
CONNECTED(00000003)
depth=0 C = US, ST = SomeState, L = SomeCity, O = Company Co, OU = Company Co, CN = example.com, emailAddress = admin@example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = SomeState, L = SomeCity, O = Company Co, OU = Company Co, CN = example.com, emailAddress = admin@example.com
verify return:1
---
Certificate chain
0 s:/C=PK/ST=SomeState/L=SomeCity/O=Company Co/OU=Company Co/CN=example.com/emailAddress=admin@example.com
i:/C=PK/ST=SomeState/L=SomeCity/O=Company Co/OU=Company Co/CN=example.com/emailAddress=admin@example.com
---
Have more questions? Submit a request
Please sign in to leave a comment.