PSCS Wiki

User Tools

Site Tools

Trace:
how_to:create_an_ssl_certificate

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
how_to:create_an_ssl_certificate [2014/01/23 15:11] paulhow_to:create_an_ssl_certificate [2026/03/23 10:18] (current) – [Using OpenSSL] paul
Line 8: Line 8:
 VPOP3 requires certificates & private keys to be in .PEM (Privacy Enhanced Mail) format which is a common format used by most people other than Microsoft. There are ways to convert .P12 .PFX and .CER files to PEM format, but those are outside the scope of this article. VPOP3 requires certificates & private keys to be in .PEM (Privacy Enhanced Mail) format which is a common format used by most people other than Microsoft. There are ways to convert .P12 .PFX and .CER files to PEM format, but those are outside the scope of this article.
  
-There are many ways to generate a CSR, so if you have a favourite program to do that, which can produce the files in .PEM format, feel free to use that. Otherwise, you can use the [[http://www.pscs.co.uk/downloads/vpop3/vpop3gencert.zip|GenCert]] program from our website.+There are many ways to generate a CSR, so if you have a favourite program to do that, which can produce the files in .PEM format, feel free to use that. Otherwise, you can use OpenSSL - see below.
  
-Once you have generated the CSR you need to send it to a Certificate Authority. This is typically someone like GeoTrust, Verisign etc. They will charge you (typically somewhere betwee £80 to £800 per year) to sign the certificate, and you will need to prove your identity to the CA by some means. The level of this proof usually depends on the type of certificate. Some will just need you to prove you own that domain (eg by acknowledging that you receive an email to the domain), others will need you to send in copies of documentation.+Once you have generated the CSR you need to send it to a Certificate Authority. This is typically someone like GeoTrust, Sectigo etc. They will charge you (typically somewhere betwee £50 to £400 per year) to sign the certificate, and you will need to prove your identity to the CA by some means. The level of this proof usually depends on the type of certificate. Some will just need you to prove you own that domain (eg by acknowledging that you receive an email to the domain), others will need you to send in copies of documentation.
  
-You can also set up as your own CA. The GenCert program above will let you do this, other programs are available to do this. This is free, but when you access a service using a certificate signed by your own CA, the email client or web browser may warn you that the certificate is not validated properly, and you will need to accept the warning. The data will still be encrypted just as with a £800 Verisign certificate, but the warning may not be desirable, and the server's identity will not be verified. It can be useful to use this method for testing, and then have a recognised CA sign the certificate when you are ready for wider deployment.+You can also generate self-signed certificates. The Windows Server Certificate Server can do this for youor you can use OpenSSL - see below. This is free, but when you access a service using a self-signed certificate , the email client or web browser may warn you that the certificate is not validated properly, and you will need to accept the warning. The data will still be encrypted just as with a £400 Sectigo certificate, but the warning may not be desirable, and the server's identity will not be verified. It can be useful to use this method for testing, and then have a recognised CA sign the certificate when you are ready for wider deployment.
  
 Note that the 'Private Key' file MUST NOT require a password to access it. Note that the 'Private Key' file MUST NOT require a password to access it.
Line 36: Line 36:
 If the issuing certificate authority requires an intermediate certificate you will have to get that certificate's details from them, we cannot supply that information (unless you purchased the certificate via ourselves). If the issuing certificate authority requires an intermediate certificate you will have to get that certificate's details from them, we cannot supply that information (unless you purchased the certificate via ourselves).
  
 +=====Using OpenSSL=====
 +OpenSSL is free software to handle encryption, certificates, etc. It's very commonly used, so you will find a lot of documentation on the Internet about it.
 +
 +For Windows, the best place to download it from is https://slproweb.com/products/Win32OpenSSL.html
 +Download the 'Light' version, eg "Win64 OpenSSL v3.6.1 Light" (the version will change over time). It doesn't need to be installed on the VPOP3 computer.
 +
 +If you are using Linux, then OpenSSL is usually installed as standard
 +
 +OpenSSL has to be used from a command prompt. The following sections give examples of how to perform some common tasks using OpenSSL
 +
 +====Generating a CSR using OpenSSL====
 +
 +See the 'Using OpenSSL' section above for instructions on installation and usage
 +
 +Then run:
 +  openssl req -newkey rsa:2048 -nodes -keyout key.pem -out csr.pem
 +
 +  - This will first display some 'garbage', which is the cryptographically secure random number generator operating
 +  - Then it will prompt for information about your organisation. Most of this may just be encoded in the certificate for someone accessing your server to be able to see. The **Common Name** is important though, as that has to match the DNS host name of the server, as the software accessing the server will verify that this is the same as the server name that it has connected to
 +    - Country Name - use a two letter country code, eg GB (for United Kingdom), US (for USA), FR (for France) etc (See [[https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2#Officially_assigned_code_elements|this Wikipedia article]] for a full list of countries and country codes)
 +    - State or Province Name - eg "Yorkshire" or "New York"
 +    - Locality Name - eg "London" or "Manchester"
 +    - Organisation Name - eg ACME Inc.
 +    - Organisational Unit Name - IT or Software
 +    - Common Name - this is the DNS host name of your VPOP3 computer, eg mail.example.com
 +    - Email Address - a contact email address (or blank)
 +  - Then it will ask for two extra bits of information which can be left blank: challenge password, and optional company name
 +
 +This will generate two files: 
 +  * key.pem. This is the private key. Keep this file very safe. If that gets lost, then you will need to regenerate the CSR, and send the new one to the Certificate Authority. Do not give key.pem to anyone you do not trust, as it will allow them to spoof your server certificate. Note that the Certificate Authority do NOT need access to the private key.
 +  * csr.pem. This is the certificate request. You will need to send this to the Certificate Authority for them to generate the certificate for you. It is a text file, so you will be able to open it in something like Notepad and copy/paste the contents if necessary
 +
 +====Generating a self-signed certificate using OpenSSL====
 +
 +See the 'Using OpenSSL' section above for instructions on installation and usage
 +
 +Then, run:
 +
 +  openssl req -x509 -newkey rsa:4096 -nodes -keyout key.pem -out cert.pem -sha256 -days 365
 +
 +This will generate a private key and self-signed certificate with an expiry of 365 days
 +
 +You will be prompted for organisation and certificate information as when generating a CSR as above.
 +
 +It will produce two files key.pem and cert.pem which you can copy/paste into VPOP3's Server SSL Settings
  
how_to/create_an_ssl_certificate.1390489908.txt.gz · Last modified: (external edit)

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki