openssl command:Warning
Do NOT use key length smaller than 2048 bit, it's insecure.
# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
+# openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out server.csr
This command will generate two files:
-server.key: the private key for the decryption of your SSL certificate.privkey.pem: the private key for the decryption of your SSL certificate.server.csr: the certificate signing request (CSR) file used to apply
for your SSL certificate. This file is required by SSL certificate
provider.domain.com will receive a warning if accessing a site named www.domain.com
or secure.domain.com, because www.domain.com and secure.domain.com are
different from domain.com.
-Now you have two files: server.key and server.csr. Go to the website of
+
Now you have two files: privkey.pem and server.csr. Go to the website of
your preferred SSL privider, it will ask you to upload server.csr file to
issue an SSL certificate.
Usually, SSL provider will give you 2 files:
-- server.crt
-- server.ca-bundle
+- cert.pem
+- fullchain.pem (some SSL providers use name
server.ca-bundle)
-We need above 2 files, and server.key. Upload them to your server, you can
+
We need above 2 files, and privkey.pem. Upload them to your server, you can
store them in any directory you like, recommended directories are:
-- on RHEL/CentOS:
server.crt and server.ca-bundle should be placed under
- /etc/pki/tls/certs/, server.key should be /etc/pki/tls/private/.
-- on Debian/Ubuntu, FreeBSD:
server.crt and server.ca-bundle should be
- placed under /etc/ssl/certs/, server.key should be /etc/ssl/private/.
+- on RHEL/CentOS:
cert.pem and fullchain.pem should be placed under
+ /etc/pki/tls/certs/, privkey.pem should be /etc/pki/tls/private/.
+- on Debian/Ubuntu, FreeBSD:
cert.pem and fullchain.pem should be
+ placed under /etc/ssl/certs/, privkey.pem should be /etc/ssl/private/.
- on OpenBSD:
/etc/ssl/.
Configure Postfix/Dovecot/Apache/Nginx to use bought SSL certificate
@@ -121,9 +121,9 @@ store them in any directory you like, recommended directories are:
one on your server according to above description.
Postfix (SMTP server)
We can use postconf command to update SSL related settings directly:
-
postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/server.crt'
-postconf -e smtpd_tls_key_file='/etc/pki/tls/private/server.key'
-postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'
+postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/cert.pem'
+postconf -e smtpd_tls_key_file='/etc/pki/tls/private/privkey.pem'
+postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/fullchain.pem'
Restarting Postfix service is required.
@@ -132,9 +132,9 @@ postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'
/etc/dovecot/dovecot.conf (Linux/OpenBSD) or
/usr/local/etc/dovecot/dovecot.conf (FreeBSD):
ssl = required
-ssl_cert = </etc/pki/tls/certs/server.crt
-ssl_key = </etc/pki/tls/private/server.key
-ssl_ca = </etc/pki/tls/certs/server.ca-bundle
+ssl_cert = </etc/pki/tls/certs/cert.pem
+ssl_key = </etc/pki/tls/private/privkey.pem
+ssl_ca = </etc/pki/tls/certs/fullchain.pem
Restarting Dovecot service is required.
@@ -151,9 +151,9 @@ ssl_ca = </etc/pki/tls/certs/server.ca-bundle
ship Apache anymore.
Example:
-SSLCertificateFile /etc/pki/tls/certs/server.crt
-SSLCertificateKeyFile /etc/pki/tls/private/server.key
-SSLCertificateChainFile /etc/pki/tls/certs/server.ca-bundle
+SSLCertificateFile /etc/pki/tls/certs/cert.pem
+SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
+SSLCertificateChainFile /etc/pki/tls/certs/fullchain.pem
Restarting Apache service is required.
@@ -166,8 +166,8 @@ SSLCertificateChainFile /etc/pki/tls/certs/server.ca-bundle
listen 443;
...
ssl on;
- ssl_certificate /etc/pki/tls/certs/server.crt;
- ssl_certificate_key /etc/pki/tls/private/server.key;
+ ssl_certificate /etc/pki/tls/certs/cert.pem;
+ ssl_certificate_key /etc/pki/tls/private/privkey.pem;
...
}
@@ -182,7 +182,7 @@ bundle of chained certificates which should be concatenated to the signed
server certificate. The server certificate must appear before the chained
certificates in the combined file:
# cd /etc/pki/tls/certs/
-# cat server.crt server.ca-bundle > server.chained.crt
+# cat cert.pem fullchain.pem > server.chained.crt
Then update ssl_certificate parameter in /etc/nginx/conf.d/default.conf:
@@ -206,9 +206,9 @@ network, this is OPTIONAL.
[mysqld]
-ssl-ca = /etc/pki/tls/certs/server.ca-bundle
-ssl-cert = /etc/pki/tls/certs/server.crt
-ssl-key = /etc/pki/tls/private/server.key
+ssl-ca = /etc/pki/tls/certs/fullchain.pem
+ssl-cert = /etc/pki/tls/certs/cert.pem
+ssl-key = /etc/pki/tls/private/privkey.pem
OpenLDAP
@@ -222,9 +222,9 @@ network, this is OPTIONAL.
On FreeBSD, it's defined in /usr/local/etc/openldap/slapd.conf.
On OpenBSD, it's defined in /etc/openldap/slapd.conf.
-TLSCACertificateFile /etc/pki/tls/certs/server.ca-bundle
-TLSCertificateFile /etc/pki/tls/certs/server.crt
-TLSCertificateKeyFile /etc/pki/tls/private/server.key
+TLSCACertificateFile /etc/pki/tls/certs/fullchain.pem
+TLSCertificateFile /etc/pki/tls/certs/cert.pem
+TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem
Restarting OpenLDAP service is required.
@@ -238,7 +238,7 @@ error message like Peer's Certificate issuer is not recognized.
On FreeBSD, it's defined in /usr/local/etc/openldap/ldap.conf.
On OpenBSD, it's defined in /etc/openldap/ldap.conf.
-TLS_CACERT /etc/pki/tls/certs/server.ca-bundle
+TLS_CACERT /etc/pki/tls/certs/fullchain.pem
To connect with TLS, please run ldapsearch with argument -Z and use