How are x509 certificates and key files handled on MOSH servers?

MOSH servers are configured to provide apache, postfix and courier services on a single server.

All three programs rely on the same x509 certificates and the same keys, however, they reference these keys in three different ways.

All MOSH servers should have the following files:

• /etc/ssl/HOST.mayfirst.org.crt: contains both the TLS certificate and any required intermediary certificates (server cert first, intermediary second)
• /etc/ssl/private/HOST.mayfirst.org.pem: contains both the key file and the TLS certificate and any required intermediary certificates (in that order)

If, for some reason, the MOSH server is using a common name other than HOST.mayfirst.org (e.g. secure.critpath.org is used instead of didier.mayfirst.org), then the files should be named after the common name (secure.critpath.org) and HOST.mayfirst.org should be a symlink to the actual file. This naming convention helps us easily identify what common name the certificates should be presenting.

Service configuration

• courier: /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl:

  TLS_CERTFILE=/etc/ssl/private/HOST.mayfirst.org.pem
  

• apache: /etc/apache2/sites-available/HOST.mayfirst.org.ssl:

  SSLCertificateFile=/etc/ssl/HOST.mayfirst.org.crt
  SSLCertificateChainFile=/etc/ssl/HOST.mayfirst.org.crt
  SSLCertificateKeyFile=/etc/ssl/private/HOST.mayfirst.org.pem
  

• postfix: /etc/postfix/main.cf:

  smtpd_tls_cert_file=/etc/ssl/didier.mayfirst.org.crt
  smtpd_tls_key_file=/etc/ssl/private/HOST.mayfirst.org.pem