It’s 2014 and remote unix shells are as popular as ever. Which is great, except that people don’t seem to be using the more advanced security features nearly enough. So, what are they and how can you use them?
Tag: Certificates
Renew certificates for Postfix and Courier on ISPConfig
mx1 ~ # cd /root/ssl-zertifikat/ mx1 ~/ssl-zertifikat # mkdir ./archiv/2016 mx1 ~/ssl-zertifikat # mv ./* ./archiv/2016 mx1 ~/ssl-zertifikat # openssl genrsa -des3 -out mx1.wiretrip.de.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
Enter pass phrase for mx1.wiretrip.de.key:
Verifying - Enter pass phrase for mx1.wiretrip.de.key:
mx1 ~/ssl-zertifikat # openssl req -new -key mx1.wiretrip.de.key -out mx1.wiretrip.de.csr
Enter pass phrase for mx1.wiretrip.de.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:BY
Locality Name (eg, city) []:NUREMBERG
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WIRETRIP WEB ARCHITECTURE
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:mx1.wiretrip.de
Email Address []:----@wiretrip.de
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:WIRETRIP WEB ARCHITECTURE
mx1 ~/ssl-zertifikat # openssl x509 -req -days 365 -in mx1.wiretrip.de.csr -signkey mx1.wiretrip.de.key -out mx1.wiretrip.de.crt
Signature ok
subject=/C=DE/ST=BY/L=NUREMBERG/O=WIRETRIP WEB ARCHITECTURE/OU=IT/CN=mx1.wiretrip.de/emailAddress=----@wiretrip.de
Getting Private key
Enter pass phrase for mx1.wiretrip.de.key
mx1 ~/ssl-zertifikat # openssl rsa -in mx1.wiretrip.de.key -out mx1.wiretrip.de.key.nopass
Enter pass phrase for mx1.wiretrip.de.key:
writing RSA key
mx1 ~/ssl-zertifikat # mv mx1.wiretrip.de.key.nopass mx1.wiretrip.de.key
mx1 ~/ssl-zertifikat # openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
Generating a 2048 bit RSA private key
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:BY
Locality Name (eg, city) []:NUREMBERG
Organization Name (eg, company) [Internet Widgits Pty Ltd]:WIRETRIP WEB ARCHITECTURE
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:mx1.wiretrip.de
Email Address []:----@wiretrip.de
mx1 ~/ssl-zertifikat # cd /etc/postfix/ mx1 /etc/postfix # mv smtpd.cert smtpd.cert.old mx1 /etc/postfix # mv smtpd.key smtpd.key.old mx1 /etc/postfix # cp -a /root/ssl-zertifikat/mx1.wiretrip.de.crt ./ mx1 /etc/postfix # cp -a /root/ssl-zertifikat/mx1.wiretrip.de.key ./ mx1 /etc/postfix # chmod 600 ./mx1.wiretrip.de.key mx1 /etc/postfix # chmod 600 ./mx1.wiretrip.de.crt mx1 /etc/postfix # mv mx1.wiretrip.de.crt ./smtpd.cert mx1 /etc/postfix # mv mx1.wiretrip.de.key ./smtpd.key mx1 /etc/postfix # /etc/init.d/postfix restart
[ ok ] Stopping Postfix Mail Transport Agent: postfix.
[ ok ] Starting Postfix Mail Transport Agent: postfix.
mx1 /etc/postfix # cd /etc/courier mx1 /etc/courier # rm -f /etc/courier/imapd.pem mx1 /etc/courier # rm -f /etc/courier/pop3d.pem mx1 /etc/courier # vim /etc/courier/imapd.cnf mx1 /etc/courier # vim /etc/courier/pop3d.cnf mx1 /etc/courier :( # rm -f /usr/lib/courier/imapd.pem mx1 /etc/courier # rm -f /usr/lib/courier/pop3d.pem mx1 /etc/courier # mkimapdcert
Generating a 1024 bit RSA private key
writing new private key to '/usr/lib/courier/imapd.pem'
-----
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
subject= /C=DE/ST=BY/L=NUERNBERG/O=WIRETRIP WEB ARCHITECTURE/OU=IT/CN=mx1.wiretrip.de/emailAddress=----@wiretrip.de
notBefore=Sep 15 14:05:59 2014 GMT
notAfter=Sep 15 14:05:59 2015 GMT
mx1 /etc/courier # mkpop3dcert
Generating a 1024 bit RSA private key
writing new private key to '/usr/lib/courier/pop3d.pem'
-----
1024 semi-random bytes loaded
Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
subject= /C=DE/ST=BY/L=NUERNBERG/O=WIRETRIP WEB ARCHITECTURE/OU=IT/CN=mx1.wiretrip.de/emailAddress=----@wiretrip.de
notBefore=Sep 15 14:06:13 2014 GMT
notAfter=Sep 15 14:06:13 2015 GMT
mx1 /etc/courier # cp -a /usr/lib/courier/pop3d.pem ./ mx1 /etc/courier # cp -a /usr/lib/courier/imapd.pem ./ mx1 /etc/courier # /etc/init.d/courier-imap-ssl restart mx1 /etc/courier # /etc/init.d/courier-pop-ssl restart mx1 /etc/courier # /etc/init.d/courier-imap restart mx1 /etc/courier # /etc/init.d/courier-pop restart
