wiki:mosh-x509

Version 9 (modified by Jamie McClelland, 9 years ago) (diff)

--

How are X.509 certificates and key files handled on MOSH servers?

MOSH servers are configured to provide apache, postfix and courier services on a single server.

All three programs rely on the same X.509 certificates and the same keys, however, they reference these keys in three different ways.

All MOSH servers should have the following files:

  • /etc/ssl/HOST.mayfirst.org.crt: contains both the X.509 End Entity (EE) certificate and any required intermediary certificates (server (EE) cert first, intermediary second)
  • /etc/ssl/private/HOST.mayfirst.org.pem: contains the key file, the EE certificate, and any required intermediary certificates (in that order)
  • /etc/ssl/HOST.mayfirst.org.csr: certificate signing request (CSR), used to request a new certificate when the existing one expires

On a new server, puppet will generate a 2048-bit RSA key as /etc/ssl/private/HOST.mayfirst.org.uncertified.key and /etc/ssl/HOST.mayfirst.org.csr. In addition /etc/ssl/HOST.mayfirst.org.crt is created as a symlink to /etc/ssl/cert/ssl-cert-snakeoil.pem and /etc/ssl/private/HOST.mayfirst.org.pem is a symlink to /etc/ssl/private/ssl-cert-snakeoil.key. These symlinks are created to ensure that services that rely on them are properly started.

A sysadmin is required to submit the CSR to cheapssls.com (or another member of the CA cartel). Choose domain@mayfirst.org for the confirmation email and info@mayfirst.org for the email address identified with the certificate. Please choose to use RapidSSL (there are many options for X509 certificate providers on this site). Once the sysadmin has the certificate, s/he should replace the symlinked files with the appropriate files:

  • replace the /etc/ssl/HOST.mayfirst.org.crt symlink with a file containing the actual certificate and any intermediary certificates
  • delete the /etc/ssl/private/HOST.mayfirst.org.pem symlink
  • move /etc/ssl/private/HOST.mayfirst.org.uncertified.key to /etc/ssl/private/HOST.mayfirst.org.pem
  • append both the certificate and any intermediary certificates to /etc/ssl/private/HOST.mayfirst.org.pem
  • restart apache2, postfix, courier-imap-ssl and courier-pop-ssl

If, for some reason, the MOSH server is using a common name other than HOST.mayfirst.org (e.g. secure.critpath.org is used instead of didier.mayfirst.org), then the files should be named after the common name (secure.critpath.org) and HOST.mayfirst.org should be a symlink to the actual file. This naming convention helps us easily identify what common name the certificates should be presenting.

Service configuration

  • courier: /etc/courier/imapd-ssl and /etc/courier/pop3d-ssl:
    TLS_CERTFILE=/etc/ssl/private/HOST.mayfirst.org.pem
    
  • apache: /etc/apache2/sites-available/HOST.mayfirst.org.ssl:
    SSLCertificateFile=/etc/ssl/HOST.mayfirst.org.crt
    SSLCertificateChainFile=/etc/ssl/HOST.mayfirst.org.crt
    SSLCertificateKeyFile=/etc/ssl/private/HOST.mayfirst.org.pem
    
  • postfix: /etc/postfix/main.cf:
    smtpd_tls_cert_file=/etc/ssl/HOST.mayfirst.org.crt
    smtpd_tls_key_file=/etc/ssl/private/HOST.mayfirst.org.pem