To use the SSL/TLS verification and encryption features of OpenSSL based certificates for email, web, ldap, database and other similar solutions, certificates need to be created, signed, installed, and have a path to a valid certificate authority. Many people will do self-signed certificates just to get the verification and encryption capabilities for self-use. At the present time, it is possible to obtain a path to a free certificate authority. StartSSL provides free certificate signing to secure personal web sites, public forums or web mail.
To use StartSSL's services, you first need to create an account with them, which is reasonably
painless. If you own your own domain and email solution, you can get your domain validated.
The basic criteria is that you have access to postmaster or webmaster or hostmaster @ yourdomain.com.
Once you've validated your domain, you start getting certificates signed. StartSSL has a root
certificate included with the recent OpenSSL releases.
There are several ways to create a certificate and generate the associated signing request.
digicert
provides a page that will help generate the openssl command to create the key and csr (signing request)
files. The most important item is the 'Common Name', it needs to be the FQDN (Fully
Qualified Domain Name) of your server, like 'mail.example.com'. For Certificate Authorities offering
a wild-card certificate which can be placed on multiple servers, the FQDN would
be something like '*.example.com'. The request comes out looking like (where .key is the
generated key, and .csr is the signing request to be sent to the Certificate Authority):
openssl req -new -newkey rsa:2048 \
-nodes -out mail_example_com.csr \
-keyout mail_example_com.key \
-subj "/C=US/ST=NV/L=Las Vegas/O=Example Co./CN=mail.example.com"
You can take a look at the .csr (Certificate Signing Request) by:
openssl req -text -noout -in mail_example_com.csr
Take a look at the .key file by:
openssl rsa -text -noout -in mail1_oneunified_net.key
Be aware that the key generated above is generated without a password. Therefore ensure
the .key file is readable only by the accounts requiring access.
The two step manual way to generate an RSA private key and signing request is:
openssl genrsa -out mail_example_com.key 2048
openssl req -new -key mail_example_com.key -out mail_example_com.csr
For the second command of the two, openssl will prompt for a number of pieces of
information: Country Code, State or Province Name, City, Organization, Unit (which can be
left blank), Common Name (Fully Qualified Domain Name, or a wild-carded FQDN),
Email Address (which can be left blank, but use something valid anyway, as a default
may be inserted by the signing authority), Password (which should be empty if being
used with self-starting services), and an optional Company Name (left blank).
The content of the .csr file can then be send to the Certificate Authority for signing.
After sending my file to StartSSL, they say it may take up to six hours to approve the request.
It was actually returned in under an hour.
The content of a signed certificate (a .crt, .cert, or .pem file) can be viewed with:
openssl x509 -in mail_example_com.crt -noout -text