Po pierwsze musisz zainstalować paczkę openssl :

<cli> apt-get install openssl </cli>

Then, the openssl config file /etc/ssl/openssl.cnf has to be edited like this (I assume, your CA name is „RootCA”… you can change this name if you want to):

<cli> Linia 32: default_ca = RootCA Linia 35: [ RootCA ] Linia 37: dir = /root/RootCA Linia 41: unique_subject = no # only if you need this Linia 70: default_md = md5 </cli>

If you want to, you can change the values in the section [req_destinquished_name] to your language, which would be in german: <cli> [ req_distinguished_name ] countryName = Kraj (2literowy kod) countryName_default = PL countryName_min = 2 countryName_max = 2

stateOrProvinceName = Województwo (Nazwa województwa) stateOrProvinceName_default = MojeWojewództwo

localityName = Miasto localityName_default = MojeMiasto

0.organizationName = Nazwa Firmy/Organizacji 0.organizationName_default = MojaFirma

# we can do this but it is not needed normally #1.organizationName = Second Organization Name (eg, company) #1.organizationName_default = World Wide Web Pty Ltd

organizationalUnitName = DziałFirmy #organizationalUnitName_default =

commonName = Common Name (np. TWOJE imię lub DomenaSerwera.pl) commonName_max = 64

emailAddress = Adres Email emailAddress_max = 64 </cli>

Now you have to create the directories and files you specified in the openssl.cnf:

<cli> mkdir /root/RootCA # or whatever your CA-Name / directory is cd /root/RootCA mkdir newcerts certs crl private touch index.txt # Serialnr starts with 01 echo „01” > serial </cli>

You need to install the package sharutils to be able to use the uuencode program.

<cli> cat /dev/urandom | uuencode -m bla | head -19 | sed „s/begin.*g”\ | tail -18 | xargs | sed „s/ g” > /root/RootCA/private/.rand chmod 770 /root/RootCA/private/.rand ls -alh /root/RootCA/private/.rand </cli>

Now we can create our CA certificate…

Generate the key. You should use a very strong passphrase for this key - it has to be secure for the next few years! <cli>

openssl genrsa -aes256 -out private/RootCA.key.pem -rand private/.rand 2048

</cli>

Generate the certificate: <cli> openssl req -new -x509 -days 1827 -key private/RootCA.key.pem -out RootCA.cert.pem </cli>

(-days 1827 generates a certificate which is valid for 5 years)

Check if the certificate-data is alright: <cli> openssl x509 -in RootCA.cert.pem -text | less </cli>

Copy the certificate and the private key to the locations specified in the openssl.cnf: <cli> cp /root/RootCA/RootCA.cert.pem /root/RootCA/cacert.pem cp /root/RootCA/private/RootCA.key.pem /root/RootCA/private/cakey.pem </cli>

Put the certificate under the control of the CA. Therefore it has to be copied with its serialnumber as filename into the directory certs and linked there with its hash-value: <cli> cd /root/RootCA cp RootCA.cert.pem /root/RootCA/certs/00.pem cd /root/RootCA/certs/ ln -s 00.pem `openssl x509 -hash -noout -in 00.pem`.0 </cli>

Now the CA is initialized and you can distribute its certificate. To do so, rename the .cert.pem-file as .crt-file, copy it in a place reachable via the internet and make it accessible by everybody:

<cli> cp /root/RootCA/RootCA.cert.pem /var/www/virtual/yourdomain.com/htdocs/RootCA.crt chmod 444 /var/www/virtual/yourdomain.com/htdocs/RootCA.crt </cli>

Now it's time to import the certificate into your browser. Therefore, just surf to http://yourdomain.com/RootCA.crt

All server certificates are created the same way. They shouldn't have a passphrase because you don't want to enter this passphrase everytime you start your apache or another server. Disabling the passphrase is done by omitting the encryption-algorithm when creating the private key.

<cli> cd /root/RootCA openssl genrsa -out server.key.pem -rand private/.rand 2048 # Generate the key openssl req -new -key server.key.pem -out server.req.pem # Generate the certificate request openssl ca -name RootCA -in server.req.pem -out server.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase) </cli>

Move the certificate into the certs-directory and link it with its hash-value: <cli> mv newcerts/01.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course) cd certs ln -s 01.pem `openssl x509 -hash -noout -in 01.pem`.0 </cli>

I suppose to save the originial certificate-files into a subdirectory called server:

<cli> mkdir /root/RootCA/server mv server.*.pem server/ </cli>

Generate a server certificate as described under 2.1 (choose apache.key.pem, apache.req.pem and apache.cert.pem as filenames).

<cli> cd /root/RootCA openssl genrsa -out apache.key.pem -rand private/.rand 2048 # Generate the key openssl req -new -key apache.key.pem -out server.req.pem # Generate the certificate request openssl ca -name RootCA -in apache.req.pem -out apache.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase) </cli>

Move the certificate into the certs-directory and link it with its hash-value: <cli> mv newcerts/02.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course) cd certs ln -s 02.pem `openssl x509 -hash -noout -in 02.pem`.0 </cli>

I suppose to save the originial certificate-files into a subdirectory called apache:

<cli> mkdir /root/RootCA/apache cd .. mv apache.*.pem apache/ </cli>

When generating the apache.req.pem, enter this:

<cli> Organizational Unit Name []:Apache Webserver Common Name (eg, YOUR name) []:yourdomain.com </cli>

It is important to enter the domain name under which you want to reach ispCP, because otherwise you get a domain mismatch error when connecting via ssl.

After you've generated the certificate, change the following settings in /etc/apache2/mods-available/ssl.conf (replace 512 with 2048): <cli> SSLRandomSeed startup /dev/urandom 2048 SSLRandomSeed connect /dev/urandom 2048 </cli>

Then copy the certificate files (with secure file permissions): <cli> cp apache.cert.pem apache.key.pem /etc/apache2/ssl chmod 400 /etc/apache2/ssl/apache.cert.pem /etc/apache2/ssl/apache.key.pem </cli>

Tell apache to listen on the ssl-port (443) - therefore add <cli> Listen 443 </cli> to the file /etc/apache2/ports.conf and enable mod_ssl: <cli> a2enmod ssl </cli>

As last step you have to add a new VirtualHost, which listens on port 443 and has the SSL engine enabled:

<cli> cp /etc/apache2/sites-available/00_master.conf /etc/apache2/sites-available/01_ssl_master.conf </cli>

Change the 01_ssl_master.conf file like this:

<cli> # # SSL Master Begin #

<VirtualHost xxx.xxx.xxx.xxx:443>

  #
  # SSL Start
  #

  SSLEngine On
  SSLCertificateFile /etc/apache2/ssl/apache.cert.pem
  SSLCertificateKeyFile /etc/apache2/ssl/apache.key.pem

  #
  # SSL End
  #

  ServerAdmin     admin@yourdomain.com
  DocumentRoot    /var/www/ispcp/gui

  ServerName      yourdomain.com

  ErrorLog        /var/log/apache2/users/ssl.yourdomain.com-error.log
  TransferLog     /var/log/apache2/users/ssl.yourdomain.com-access.log

  CustomLog       /var/log/apache2/ssl.yourdomain.com-traf.log traff
  CustomLog       /var/log/apache2/ssl.yourdomain.com-combined.log combined

# # … below here, nothing has to be changed #

</VirtualHost>

# # SSL Master End # </cli>

Enable the ssl site: <cli> a2ensite 01_ssl_master.conf </cli> Now reload the apache server: <cli> /etc/init.d/apache2 reload </cli> and you're done!

Open your browser and enter https://yourdomain.com and you should see the ispCP login - SSL encrypted. (By the way, phpMyAdmin and the Webmail interface are now also encrypted)

At first, you have to install the ssl-packages for courier: <cli> apt-get install courier-imap-ssl courier-pop-ssl </cli>

Now you can generate the server certificate as described under 2.1 (choose courier.key.pem, courier.req.pem and courier.cert.pem as filenames). When generating the courier.req.pem, enter this:

<cli> Organizational Unit Name []:Courier Mailserver Common Name (eg, YOUR name) []:mail.yourdomain.com </cli>

<cli> cd /root/RootCA openssl genrsa -out courier.key.pem -rand private/.rand 2048 # Generate the key openssl req -new -key courier.key.pem -out server.req.pem # Generate the certificate request openssl ca -name RootCA -in courier.req.pem -out courier.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase) </cli>

Move the certificate into the certs-directory and link it with its hash-value: <cli> mv newcerts/03.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course) cd certs ln -s 03.pem `openssl x509 -hash -noout -in 03.pem`.0 </cli>

I suppose to save the originial certificate-files into a subdirectory called courier:

<cli> mkdir /root/RootCA/courier cd .. mv courier.*.pem courier/ </cli>

The courier server needs the cert and the key-file together in one file: <cli> cd /root/RootCA/server cat courier.cert.pem courier.key.pem > courier.pem </cli>

Put the Certificates under /etc/courier:

<cli> cd /etc/courier cp /root/RootCA/courier/courier.pem . chmod 400 courier.pem ln -s courier.pem imapd.pem ln -s courier.pem pop3d.pem </cli>

Now you can restart the courier-ssl servers: <cli> /etc/init.d/courier-imap-ssl restart /etc/init.d/courier-pop-ssl restart </cli> and SSL is working for your IMAP and POP3-Server!

Generate the server certificate as described under 2.1 (choose proftpd.key.pem, proftpd.req.pem and proftpd.cert.pem as filenames). When generating the proftpd.req.pem, enter this:

<cli> Organizational Unit Name []:ProFTPD FTP-Server Common Name (eg, YOUR name) []:ftp.yourdomain.com </cli>

<cli> cd /root/RootCA openssl genrsa -out proftpd.key.pem -rand private/.rand 2048 # Generate the key openssl req -new -key proftpd.key.pem -out proftpd.req.pem # Generate the certificate request openssl ca -name RootCA -in proftpd.req.pem -out proftpd.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase) </cli>

Move the certificate into the certs-directory and link it with its hash-value: <cli> mv newcerts/04.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course) cd certs ln -s 04.pem `openssl x509 -hash -noout -in 04.pem`.0 </cli>

I suppose to save the originial certificate-files into a subdirectory called proftpd:

<cli> mkdir /root/RootCA/proftpd cd .. mv proftpd.*.pem proftpd/ </cli>

Copy the files in /etc/proftpd: <cli> cd /etc/proftpd cp /root/RootCA/proftpd/proftpd.cert.pem /root/RootCA/proftpd/proftpd.key.pem . chmod 400 proftpd.cert.pem proftpd.key.pem </cli>

Activate TLS in /etc/proftpd.conf (uncomment these lines): <cli> # # SSL via TLS # <IfModule mod_tls.c>

TLSEngine                   on                                      # on for use of TLS
TLSLog                      /var/log/proftpd/ftp_ssl.log            # where to log to
TLSProtocol                 SSLv23                                  # SSLv23 or TLSv1
TLSOptions                  NoCertRequest                           # either to request the certificate or not
TLSRSACertificateFile       /etc/proftpd/proftpd.cert.pem           # SSL certfile
TLSRSACertificateKeyFile    /etc/proftpd/proftpd.key.pem            # SSL keyfile
TLSVerifyClient             off                                     # client verification

</IfModule> </cli>

Restart ProFTPD: <cli> /etc/init.d/proftpd restart </cli> That's all! Now you can connect to ftp.yourdomain.com via FTP with explicit TLS/SSL.

Generate the server certificate as described under 2.1 (choose postfix.key.pem, postfix.req.pem and postfix.cert.pem as filenames). When generating the postfix.req.pem, enter this:

<cli> Organizational Unit Name []:Postfix Mailserver Common Name (eg, YOUR name) []:mail.yourdomain.com </cli>

<cli> cd /root/RootCA openssl genrsa -out postfix.key.pem -rand private/.rand 2048 # Generate the key openssl req -new -key postfix.key.pem -out postfix.req.pem # Generate the certificate request openssl ca -name RootCA -in postfix.req.pem -out postfix.cert.pem # Sign the request with your CA (you have to enter the CA-passphrase) </cli>

Move the certificate into the certs-directory and link it with its hash-value: <cli> mv newcerts/05.pem certs/ # the certificate is named with its serialnumber - so its name is 01.pem only the first time, of course) cd certs ln -s 05.pem `openssl x509 -hash -noout -in 05.pem`.0 </cli>

I suppose to save the originial certificate-files into a subdirectory called postfix:

<cli> mkdir /root/RootCA/postfix cd .. mv postfix.*.pem postfix/ </cli>

Copy the files in /etc/postfix: <cli> cd /etc/postfix cp /root/RootCA/postfix/postfix.cert.pem /root/RootCA/postfix/postfix.key.pem . chmod 400 postfix.cert.pem postfix.key.pem </cli>

Activate TLS/SSL in /etc/postfix/main.cf (uncomment these lines): <cli> smtpd_tls_loglevel = 2 smtpd_tls_cert_file = /etc/postfix/postfix.cert.pem smtpd_tls_key_file = /etc/postfix/postfix.key.pem smtpd_use_tls = yes smtpd_tls_auth_only = no smtpd_tls_received_header = yes </cli>

Restart postfix: <cli> /etc/init.d/postfix restart </cli> And another one… You can now send your emails over an SSL-encrypted connection.

Now you have configured your webserver (for ispCP), your mailservers and your ftp-server to use a ssl-encrypted connection.

Don't forget to distribute the CA-Certificate (it's accessible via http://yourdomain.com/RootCA.crt, isn't it?) to the people who access your server, so that they don't have to accept each single server certificate.