From 7d867d25e22f0c86310f2332da827402900e3116 Mon Sep 17 00:00:00 2001
From: Zhang Huangbin Warning Do NOT use key length smaller than This command will generate two files:openssl
command:
2048
bit, it's insecure.# openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
+
# openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out server.csr
-
server.key
: the private key for the decryption of your SSL certificate.privkey.pem
: the private key for the decryption of your SSL certificate.server.csr
: the certificate signing request (CSR) file used to apply
for your SSL certificate. This file is required by SSL certificate
provider.domain.com
will receive a warning if accessing a site named www.domain.com
or secure.domain.com
, because www.domain.com
and secure.domain.com
are
different from domain.com
.
Now you have two files: server.key
and server.csr
. Go to the website of
+
Now you have two files: privkey.pem
and server.csr
. Go to the website of
your preferred SSL privider, it will ask you to upload server.csr
file to
issue an SSL certificate.
Usually, SSL provider will give you 2 files:
server.ca-bundle
)We need above 2 files, and server.key
. Upload them to your server, you can
+
We need above 2 files, and privkey.pem
. Upload them to your server, you can
store them in any directory you like, recommended directories are:
server.crt
and server.ca-bundle
should be placed under
- /etc/pki/tls/certs/
, server.key
should be /etc/pki/tls/private/
.server.crt
and server.ca-bundle
should be
- placed under /etc/ssl/certs/
, server.key
should be /etc/ssl/private/
.cert.pem
and fullchain.pem
should be placed under
+ /etc/pki/tls/certs/
, privkey.pem
should be /etc/pki/tls/private/
.cert.pem
and fullchain.pem
should be
+ placed under /etc/ssl/certs/
, privkey.pem
should be /etc/ssl/private/
./etc/ssl/
.We can use postconf
command to update SSL related settings directly:
postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/server.crt'
-postconf -e smtpd_tls_key_file='/etc/pki/tls/private/server.key'
-postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'
+postconf -e smtpd_tls_cert_file='/etc/pki/tls/certs/cert.pem'
+postconf -e smtpd_tls_key_file='/etc/pki/tls/private/privkey.pem'
+postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/fullchain.pem'
Restarting Postfix service is required.
@@ -132,9 +132,9 @@ postconf -e smtpd_tls_CAfile='/etc/pki/tls/certs/server.ca-bundle'
/etc/dovecot/dovecot.conf
(Linux/OpenBSD) or
/usr/local/etc/dovecot/dovecot.conf
(FreeBSD):
ssl = required
-ssl_cert = </etc/pki/tls/certs/server.crt
-ssl_key = </etc/pki/tls/private/server.key
-ssl_ca = </etc/pki/tls/certs/server.ca-bundle
+ssl_cert = </etc/pki/tls/certs/cert.pem
+ssl_key = </etc/pki/tls/private/privkey.pem
+ssl_ca = </etc/pki/tls/certs/fullchain.pem
Restarting Dovecot service is required.
@@ -151,9 +151,9 @@ ssl_ca = </etc/pki/tls/certs/server.ca-bundle
ship Apache anymore.
Example:
-SSLCertificateFile /etc/pki/tls/certs/server.crt
-SSLCertificateKeyFile /etc/pki/tls/private/server.key
-SSLCertificateChainFile /etc/pki/tls/certs/server.ca-bundle
+SSLCertificateFile /etc/pki/tls/certs/cert.pem
+SSLCertificateKeyFile /etc/pki/tls/private/privkey.pem
+SSLCertificateChainFile /etc/pki/tls/certs/fullchain.pem
Restarting Apache service is required.
@@ -166,8 +166,8 @@ SSLCertificateChainFile /etc/pki/tls/certs/server.ca-bundle
listen 443;
...
ssl on;
- ssl_certificate /etc/pki/tls/certs/server.crt;
- ssl_certificate_key /etc/pki/tls/private/server.key;
+ ssl_certificate /etc/pki/tls/certs/cert.pem;
+ ssl_certificate_key /etc/pki/tls/private/privkey.pem;
...
}
@@ -182,7 +182,7 @@ bundle of chained certificates which should be concatenated to the signed
server certificate. The server certificate must appear before the chained
certificates in the combined file:
# cd /etc/pki/tls/certs/
-# cat server.crt server.ca-bundle > server.chained.crt
+# cat cert.pem fullchain.pem > server.chained.crt
Then update ssl_certificate
parameter in /etc/nginx/conf.d/default.conf
:
@@ -206,9 +206,9 @@ network, this is OPTIONAL.
[mysqld]
-ssl-ca = /etc/pki/tls/certs/server.ca-bundle
-ssl-cert = /etc/pki/tls/certs/server.crt
-ssl-key = /etc/pki/tls/private/server.key
+ssl-ca = /etc/pki/tls/certs/fullchain.pem
+ssl-cert = /etc/pki/tls/certs/cert.pem
+ssl-key = /etc/pki/tls/private/privkey.pem
OpenLDAP
@@ -222,9 +222,9 @@ network, this is OPTIONAL.
On FreeBSD, it's defined in /usr/local/etc/openldap/slapd.conf
.
On OpenBSD, it's defined in /etc/openldap/slapd.conf
.
-TLSCACertificateFile /etc/pki/tls/certs/server.ca-bundle
-TLSCertificateFile /etc/pki/tls/certs/server.crt
-TLSCertificateKeyFile /etc/pki/tls/private/server.key
+TLSCACertificateFile /etc/pki/tls/certs/fullchain.pem
+TLSCertificateFile /etc/pki/tls/certs/cert.pem
+TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem
Restarting OpenLDAP service is required.
@@ -238,7 +238,7 @@ error message like Peer's Certificate issuer is not recognized
.
On FreeBSD, it's defined in /usr/local/etc/openldap/ldap.conf
.
On OpenBSD, it's defined in /etc/openldap/ldap.conf
.
-TLS_CACERT /etc/pki/tls/certs/server.ca-bundle
+TLS_CACERT /etc/pki/tls/certs/fullchain.pem
To connect with TLS, please run ldapsearch
with argument -Z
and use