Certificate Management¶

Prerequisites¶

Access to a Certificate Authority (Vault in this course)
OpenSSL installed

Procedure: Generate a Private Key¶

When to use: Starting the process of obtaining a new SSL/TLS certificate.

Steps:

Generate a 2048-bit RSA private key:

openssl genrsa -out /etc/pki/tls/private/mysite.key 2048

Secure the key permissions:

chmod 600 /etc/pki/tls/private/mysite.key

Troubleshooting:

"Permission denied": You must be root to write to /etc/pki/tls/private/.

Procedure: Create a Certificate Signing Request¶

When to use: Asking a Certificate Authority (CA) to sign your public key.

Steps:

Create CSR using the existing private key:

openssl req -new -key /etc/pki/tls/private/mysite.key -out mysite.csr

Fill in the prompts:
- Common Name (CN): The exact domain name (e.g., mysite.example.com).
- Other fields: Country, State, Org, etc.

Verify the CSR content:

openssl req -text -noout -verify -in mysite.csr

Troubleshooting:

Typo in Common Name: You must regenerate the CSR.

Procedure: Sign a Certificate via Vault¶

When to use: In the lab environment, using the internal Vault CA to sign certificates.

Option A: Web UI (recommended for first-time setup)¶

Open https://vault.sysadm.ee in your browser.
Select LDAP authentication and log in with your University of Tartu credentials.
Navigate to the pki secrets engine → sysadm.ee role.
Enter the Common Name (e.g., *.myvm.sysadm.ee for a wildcard, or blog.myvm.sysadm.ee for a single domain). If using a wildcard, also add the bare domain (myvm.sysadm.ee) in the Alt Names field — wildcards do not match the domain itself, only subdomains.
Ensure format is PEM, then click Generate.
Save all three outputs:
- Certificate → /etc/pki/tls/certs/server.crt
- Private key → /etc/pki/tls/private/server.key
- CA chain → /etc/pki/tls/certs/ca-chain.crt
Once you close the window, Vault will not display the data again. If you lose it, generate a new certificate.

Option B: CLI¶

Authenticate with Vault:

export VAULT_ADDR='https://vault.sysadm.ee'
vault login -method=ldap username=<your-username>

Issue a certificate (include bare domain as alt_names for wildcards):

vault write pki/issue/sysadm.ee \
    common_name="*.myvm.sysadm.ee" \
    alt_names="myvm.sysadm.ee" \
    ttl=168h

Save the outputs (certificate, private_key, ca_chain) to the appropriate files.

Get the CA chain separately (if needed):

vault read -field=issuing_ca pki/cert/ca_chain > /etc/pki/tls/certs/ca-chain.crt

Troubleshooting:

"permission denied": Token expired or invalid path. Re-authenticate with vault login.
"connection refused": Check VAULT_ADDR and network connectivity to vault.sysadm.ee.
CA chain has commas between certificates: The chain must be in PEM format with newline-separated blocks, not comma-separated.

Procedure: Install a Certificate in Apache¶

When to use: Enabling HTTPS for a website.

Steps:

Install mod_ssl if not already installed:
```
dnf install mod_ssl
```

Add an HTTPS VirtualHost block to your existing configuration:

<VirtualHost *:443>
    ServerName mysite.sysadm.ee
    SSLEngine on
    SSLCertificateFile /etc/pki/tls/certs/server.crt
    SSLCertificateKeyFile /etc/pki/tls/private/server.key
    SSLCACertificateFile /etc/pki/tls/certs/ca-chain.crt
    # ... rest of virtual host config
</VirtualHost>

Test and reload:

apachectl configtest
systemctl reload httpd

Troubleshooting:

"Key mismatch": The certificate does not match the private key. Use openssl x509 -noout -modulus -in mysite.crt | openssl md5 and compare with the key modulus.

Procedure: Install a Certificate in Postfix/Dovecot¶

When to use: Securing mail server connections (STARTTLS/IMAPS).

Steps:

Postfix (/etc/postfix/main.cf):

smtpd_tls_cert_file = /etc/pki/tls/certs/server.crt
smtpd_tls_key_file = /etc/pki/tls/private/server.key
smtpd_tls_CAfile = /etc/pki/tls/certs/ca-chain.crt
smtpd_tls_security_level = may

Dovecot (/etc/dovecot/conf.d/10-ssl.conf):

ssl = yes
ssl_cert = </etc/pki/tls/certs/server.crt
ssl_key = </etc/pki/tls/private/server.key

Restart services:
```
systemctl restart postfix dovecot
```

Troubleshooting:

Mail clients verify failed: Ensure the CA chain is correct and client trusts the CA.

Quick Reference¶

Action	Command
Gen Key	`openssl genrsa -out key 2048`
Gen CSR	`openssl req -new -key key -out csr`
View Cert	`openssl x509 -text -noout -in crt`
Verify Key/Cert	Check md5 of modulus
Vault Sign (CLI)	`vault write pki/issue/sysadm.ee common_name="*.vm.sysadm.ee" alt_names="vm.sysadm.ee"`
Vault Sign (Web)	`https://vault.sysadm.ee` → pki → sysadm.ee
Verify TLS	`openssl s_client -connect host:port -CAfile ca-chain.crt`

Technologies: Apache HTTPD, Postfix, Dovecot
Concepts: TLS and Certificates

Certificate Management¶

Prerequisites¶

Procedure: Generate a Private Key¶

Procedure: Create a Certificate Signing Request¶

Procedure: Sign a Certificate via Vault¶

Option A: Web UI (recommended for first-time setup)¶

Option B: CLI¶

Procedure: Install a Certificate in Apache¶

Procedure: Install a Certificate in Postfix/Dovecot¶

Quick Reference¶

Related Documentation¶