At first, you have to install the openssl package:

apt-get install openssl

Then, the openssl config file /etc/ssl/openssl.cnf has to be edited like this (I assume, your CA name is “RootCA”… you can change this name if you want to):

Line 32: default_ca = RootCA
Line 35: [ RootCA ]
Line 37: dir = /root/RootCA
Line 41: unique_subject = no # only if you need this
Line 70: default_md = sha1

If you want to, you can change the values in the section [req_destinquished_name] to your language, which would be in german:

[ req_distinguished_name ]
countryName                     = Land (2stelliger Code)
countryName_default             = DE
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = Bundesland (voller Name)
stateOrProvinceName_default     = MeinBundesland

localityName                    = Ort, Stadt
localityName_default            = MeineStadt

0.organizationName              = Firmenname
0.organizationName_default      = MeineFirma

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Abteilung
#organizationalUnitName_default =

commonName                      = Common Name (z.B. IHR Name, die Serverdomain)
commonName_max                  = 64

emailAddress                    = E-Mail-Addresse
emailAddress_max                = 64

Now you have to create the directories and files you specified in the openssl.cnf:

mkdir /root/RootCA		# or whatever your CA-Name / directory is
cd /root/RootCA
mkdir newcerts certs crl private
touch index.txt
# Serialnr starts with 01
echo "01" > serial

You need to install the package sharutils to be able to use the uuencode program.

cat /dev/urandom | uuencode -m bla | head -19 | sed "s/begin.*//g"\
  | tail -18 | xargs | sed "s/ //g" > /root/RootCA/private/.rand
chmod 770 /root/RootCA/private/.rand
ls -alh  /root/RootCA/private/.rand

Now we can create our CA certificate…

Generate the key. You should use a very strong passphrase for this key - it has to be secure for the next few years!

openssl genrsa -aes256 -out private/RootCA.key.pem -rand private/.rand 2048

Generate the certificate:

openssl req -new -x509 -days 1827 -key private/RootCA.key.pem -out RootCA.cert.pem

(-days 1827 generates a certificate which is valid for 5 years)

Check if the certificate-data is alright:

openssl x509 -in RootCA.cert.pem -text | less

Copy the certificate and the private key to the locations specified in the openssl.cnf:

cp /root/RootCA/RootCA.cert.pem /root/RootCA/cacert.pem
cp /root/RootCA/private/RootCA.key.pem /root/RootCA/private/cakey.pem

Put the certificate under the control of the CA. Therefore it has to be copied with its serialnumber as filename into the directory certs and linked there with its hash-value:

cd /root/RootCA
cp RootCA.cert.pem /root/RootCA/certs/00.pem
cd /root/RootCA/certs/
ln -s 00.pem `openssl x509 -hash -noout -in 00.pem`.0

Now the CA is initialized and you can distribute its certificate. To do so, rename the .cert.pem-file as .crt-file, copy it in a place reachable via the internet and make it accessible by everybody:

cp /root/RootCA/RootCA.cert.pem /var/www/virtual/yourdomain.com/htdocs/RootCA.crt
chmod 444 /var/www/virtual/yourdomain.com/htdocs/RootCA.crt

Now it's time to import the certificate into your browser. Therefore, just surf to http://yourdomain.com/RootCA.crt

All server certificates are created the same way. They shouldn't have a passphrase because you don't want to enter this passphrase everytime you start your apache or another server. Disabling the passphrase is done by omitting the encryption-algorithm when creating the private key.

cd /root/RootCA
touch /root/RootCA/index.txt
openssl genrsa -out server.key.pem -rand private/.rand 2048     # Generate the key
openssl req -new -key server.key.pem -out server.req.pem        # Generate the certificate request
openssl ca -name RootCA -in server.req.pem -out server.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase)

[note by Quattro]: Something is missing here, not certain what is missing though [note by sseitz]: Yes, openssl ca expects an index.txt in place. Added above.

Move the certificate into the certs-directory and link it with its hash-value:

mv newcerts/01.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course)
cd certs
ln -s 01.pem `openssl x509 -hash -noout -in 01.pem`.0

I suppose to save the originial certificate-files into a subdirectory called server:

mkdir /root/RootCA/server
mv server.*.pem server/

If you tired to do manually steps above, you can put in /root/RootCA/makecert that script:

#!/bin/bash

SERVER=$1
CA=/root/RootCA

# Print error and exit.
die()
{
   echo "ERROR: $1" 1>&2
   exit 1
}

if [ -z "$1" ]; then
        echo "Usage: makecert <servername>"
        exit
fi
if [ -f "$SERVER.cert.pem" ]; then
        die "Remove old cert before generation of new"
fi

if [ ! -f "$SERVER.key.pem" ]; then
        openssl genrsa -out $SERVER.key.pem 2048 || die "Error in keygen"
        chmod 400 $SERVER.key.pem
        chmod 400 $SERVER.key.pem
fi
if [ ! -f "$SERVER.req.pem" ]; then
        openssl req -new -key $SERVER.key.pem -out $SERVER.req.pem || die "Error in req gen"
fi
openssl ca -name RootCA -in $SERVER.req.pem -out $SERVER.cert.pem || die "Error in cert gen"
NAME=$(basename $CA/newcerts/*pem)
mv $CA/newcerts/$NAME $CA/certs/$NAME || die "Can't copy $NAME"
BN=$(openssl x509 -hash -noout -in $CA/certs/$NAME)
i=0
while [ -f $CA/certs/$BN.$i ]; do
  i=$(($i+1))
done
ln -s $NAME $CA/certs/$BN.$i

echo "New $SERVER.cert.pem generated"

Then, to create certificate just do

/root/RootCA/makecert server

And you will get in current directory server.key.pem with private key, server.req.pem with key request and server.cert.pem with certificate.

If your certificate get outdated, remove/rename server.cert.pem and run makecert again, it will generate new cert based on old req. If you have entered wrong info in request, just remove .req. and .cert. file, and run makecert again.

Generate a server certificate as described under 2.1 (choose apache.key.pem, apache.req.pem and apache.cert.pem as filenames). When generating the apache.req.pem, enter this:

Organizational Unit Name []:Apache Webserver
Common Name (eg, YOUR name) []:yourdomain.com

It is important to enter the domain name under which you want to reach ispCP, because otherwise you get a domain mismatch error when connecting via ssl.

After you've generated the certificate, change the following settings in /etc/apache2/mods-available/ssl.conf (replace 512 with 2048):

SSLRandomSeed           startup /dev/urandom 2048
SSLRandomSeed           connect /dev/urandom 2048

Then copy the certificate files (with secure file permissions):

cp apache.cert.pem apache.key.pem /etc/apache2/ssl
chmod 400 /etc/apache2/ssl/apache.cert.pem /etc/apache2/ssl/apache.key.pem

Tell apache to listen on the ssl-port (443) - therefore add

Listen 443

to the file /etc/apache2/ports.conf and enable mod_ssl:

a2enmod ssl

As last step you have to add a new VirtualHost, which listens on port 443 and has the SSL engine enabled:

cp /etc/apache2/sites-available/00_master.conf /etc/apache2/sites-available/01_ssl_master.conf

Change the 01_ssl_master.conf file like this:

#
# SSL Master Begin
#

<VirtualHost xxx.xxx.xxx.xxx:443>

    #
    # SSL Start
    #

    SSLEngine On
    SSLCertificateFile /etc/apache2/ssl/apache.cert.pem
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key.pem

    #
    # SSL End
    #

    ServerAdmin     admin@yourdomain.com
    DocumentRoot    /var/www/ispcp/gui

    ServerName      yourdomain.com

    ErrorLog        /var/log/apache2/users/ssl.yourdomain.com-error.log
    TransferLog     /var/log/apache2/users/ssl.yourdomain.com-access.log

    CustomLog       /var/log/apache2/ssl.yourdomain.com-traf.log traff
    CustomLog       /var/log/apache2/ssl.yourdomain.com-combined.log combined

#
# ... below here, nothing has to be changed
#

</VirtualHost>

#
# SSL Master End
#

Enable the ssl site:

a2ensite 01_ssl_master.conf

Now reload the apache server:

/etc/init.d/apache2 reload

and you're done!

Open your browser and enter https://yourdomain.com and you should see the ispCP login - SSL encrypted. (By the way, phpMyAdmin and the Webmail interface are now also encrypted)

At first, you have to install the ssl-packages for courier:

apt-get install courier-imap-ssl courier-pop-ssl

Now you can generate the server certificate as described under 2.1 (choose courier.key.pem, courier.req.pem and courier.cert.pem as filenames). When generating the courier.req.pem, enter this:

Organizational Unit Name []:Courier Mailserver
Common Name (eg, YOUR name) []:mail.yourdomain.com

The courier server needs the cert and the key-file together in one file:

cd /root/RootCA/server
cat courier.cert.pem courier.key.pem > courier.pem

Put the Certificates under /etc/courier:

cd /etc/courier
cp /root/RootCA/server/courier.pem .
chmod 400 courier.pem
ln -s courier.pem imapd.pem
ln -s courier.pem pop3d.pem

Now you can restart the courier-ssl servers:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

and SSL is working for your IMAP and POP3-Server!

Generate the server certificate as described under 2.1 (choose proftpd.key.pem, proftpd.req.pem and proftpd.cert.pem as filenames). When generating the proftpd.req.pem, enter this:

Organizational Unit Name []:ProFTPD FTP-Server
Common Name (eg, YOUR name) []:ftp.yourdomain.com

Copy the files in /etc/proftpd:

cd /etc/proftpd
cp /root/RootCA/server/proftpd.cert.pem /root/RootCA/server/proftpd.key.pem .
chmod 400 proftpd.cert.pem proftpd.key.pem

Activate TLS in /etc/proftpd.conf (uncomment these lines):

#
# SSL via TLS
#
<IfModule mod_tls.c>
  TLSEngine                   on                                      # on for use of TLS
  TLSLog                      /var/log/proftpd/ftp_ssl.log            # where to log to
  TLSProtocol                 SSLv23                                  # SSLv23 or TLSv1
  TLSOptions                  NoCertRequest                           # either to request the certificate or not
  TLSRSACertificateFile       /etc/proftpd/proftpd.cert.pem           # SSL certfile
  TLSRSACertificateKeyFile    /etc/proftpd/proftpd.key.pem            # SSL keyfile
  TLSVerifycodeent             off                                     # codeent verification
</IfModule>

Restart ProFTPD:

/etc/init.d/proftpd restart

That's all! Now you can connect to ftp.yourdomain.com via FTP with explicit TLS/SSL.

Generate the server certificate as described under 2.1 (choose postfix.key.pem, postfix.req.pem and postfix.cert.pem as filenames). When generating the postfix.req.pem, enter this:

Organizational Unit Name []:Postfix Mailserver
Common Name (eg, YOUR name) []:mail.yourdomain.com

Copy the files in /etc/postfix:

cd /etc/postfix
cp /root/RootCA/server/postfix.cert.pem /root/RootCA/server/postfix.key.pem .
chmod 400 postfix.cert.pem postfix.key.pem

Activate TLS/SSL in /etc/postfix/main.cf (uncomment these lines):

smtpd_tls_loglevel        = 2
smtpd_tls_cert_file       = /etc/postfix/postfix.cert.pem
smtpd_tls_key_file        = /etc/postfix/postfix.key.pem
smtpd_use_tls             = yes
smtpd_tls_auth_only       = no
smtpd_tls_received_header = yes

Restart postfix:

/etc/init.d/postfix restart

And another one… You can now send your emails over an SSL-encrypted connection.

Now you have configured your webserver (for ispCP), your mailservers and your ftp-server to use a ssl-encrypted connection.

Don't forget to distribute the CA-Certificate (it's accessible via http://yourdomain.com/RootCA.crt, isn't it?) to the people who access your server, so that they don't have to accept each single server certificate.