Certificate Management¶

Prerequisites¶

• Access to a Certificate Authority (Vault in this course)
• OpenSSL installed

Procedure: Generate a Private Key¶

When to use: Starting the process of obtaining a new SSL/TLS certificate.

Steps:

1. Generate a 2048-bit RSA private key:

   openssl genrsa -out /etc/pki/tls/private/mysite.key 2048
   

2. Secure the key permissions:

   chmod 600 /etc/pki/tls/private/mysite.key
   

Troubleshooting:

• "Permission denied": You must be root to write to /etc/pki/tls/private/.

Procedure: Create a Certificate Signing Request¶

When to use: Asking a Certificate Authority (CA) to sign your public key.

Steps:

1. Create CSR using the existing private key:

   openssl req -new -key /etc/pki/tls/private/mysite.key -out mysite.csr
   

2. Fill in the prompts:

   • Common Name (CN): The exact domain name (e.g., mysite.example.com).
   • Other fields: Country, State, Org, etc.

3. Verify the CSR content:

   openssl req -text -noout -verify -in mysite.csr
   

Troubleshooting:

• Typo in Common Name: You must regenerate the CSR.

Procedure: Sign a Certificate via Vault¶

When to use: In the lab environment, using the internal Vault CA to sign certificates.

Steps:

1. Authenticate with Vault:

   export VAULT_ADDR='https://172.17.64.129:8200'
   export VAULT_TOKEN='<your-token>'
   

2. Submit CSR and save the certificate:

   vault write -field=certificate pki_int/sign/example-dot-com \
       csr=@mysite.csr \
       common_name="mysite.example.com" \
       ttl=8760h > /etc/pki/tls/certs/mysite.crt
   

3. Get the CA chain (Issuer):

   vault read -field=issuing_ca pki_int/cert/ca_chain > /etc/pki/tls/certs/ca_chain.crt
   

Troubleshooting:

• "permission denied": Token expired or invalid path.
• "connection refused": Check VAULT_ADDR and network connectivity.

Procedure: Install a Certificate in Apache¶

When to use: Enabling HTTPS for a website.

Steps:

1. Edit the VirtualHost config (ensure mod_ssl is installed):

   <VirtualHost *:443>
       ServerName mysite.example.com
       SSLEngine on
       SSLCertificateFile /etc/pki/tls/certs/mysite.crt
       SSLCertificateKeyFile /etc/pki/tls/private/mysite.key
       SSLCertificateChainFile /etc/pki/tls/certs/ca_chain.crt
   </VirtualHost>
   

2. Test and reload:

   apachectl configtest
   systemctl reload httpd
   

Troubleshooting:

• "Key mismatch": The certificate does not match the private key. Use openssl x509 -noout -modulus -in mysite.crt | openssl md5 and compare with the key modulus.

Procedure: Install a Certificate in Postfix/Dovecot¶

When to use: Securing mail server connections (STARTTLS/IMAPS).

Steps:

1. Postfix (/etc/postfix/main.cf):

   smtpd_tls_cert_file = /etc/pki/tls/certs/mysite.crt
   smtpd_tls_key_file = /etc/pki/tls/private/mysite.key
   smtpd_tls_CAfile = /etc/pki/tls/certs/ca_chain.crt
   smtpd_tls_security_level = may
   

2. Dovecot (/etc/dovecot/conf.d/10-ssl.conf):

   ssl = yes
   ssl_cert = </etc/pki/tls/certs/mysite.crt
   ssl_key = </etc/pki/tls/private/mysite.key
   

3. Restart services:

   systemctl restart postfix dovecot
   

Troubleshooting:

• Mail clients verify failed: Ensure the CA chain is correct and client trusts the CA.

Quick Reference¶

Related Documentation¶

• Technologies: Apache HTTPD, Postfix
• Concepts: TLS and Certificates