OpenSSL certificates are required at several services on the Kolab server. As you install the kolab RPM (see next chapter) the bootstrapping procedure of the Kolab server automatically creates certificates that can be used with the Kolab server. Three keys are provided by the bootstrapping procedure:
/kolab/etc/kolab/cert.pem
/kolab/etc/kolab/key.pem
/kolab/etc/kolab/CAcert.pem
It you want to use your own keys feel free to do so. Of course you should check with the configuration files of Cyrus IMAPd, Postfix and Apache in order to change the certificate settings. Here are the relevant configuration options which have to be adapted if you want to change the kolab created keys:
/kolab/etc/imapd/imapd.conf: ... tls_cert_file: /kolab/etc/kolab/cert.pem tls_key_file: /kolab/etc/kolab/key.pem ... /kolab/etc/apache/apache.conf: ... SSLCACertificateFile /kolab/etc/kolab/CAcert.pem ... SSLCertificateFile /kolab/etc/kolab/cert.pem SSLCertificateKeyFile /kolab/etc/kolab/key.pem ... /kolab/etc/postfix/main.cf: ... smtpd_tls_CAfile = /kolab/etc/kolab/CAcert.pem smtpd_tls_cert_file = /kolab/etc/kolab/cert.pem smtpd_tls_key_file = /kolab/etc/kolab/key.pem ...
Note that by default the CA and the keys will have one year maximum lifetime. The lifetime of a CA can be up to ten years if one sets the used key length to 2048 bit. The TLS keys for the services can be set to five years, the key length does not need to be longer than 1536 bits in order to stay secure.
The kolab bootstrapping procedure creates the certificates using the following script (it is called kolab_sslcert.sh) :
#!/bin/sh
echo "Generating kolab's SSL/TLS certificates"
PWD=`pwd`
TMPDIR="@@@kolab_prefix@@@/etc/kolab/tmp"
mkdir $TMPDIR
mkdir -p $TMPDIR/demoCA/private/
mkdir -p $TMPDIR/demoCA/newcerts
mkdir -p $TMPDIR/demoCA/certs
mkdir -p $TMPDIR/demoCA/crl
cd $TMPDIR
touch demoCA/index.txt
echo "01" > demoCA/serial
echo -n "generate self-signed CA ... "
echo -e ".\n.\n.\n.\n.\n`hostname`\n.\n" | \
@@@kolab_prefix@@@/bin/openssl req -new -x509 -nodes \
-keyout demoCA/private/cakey.pem \
-out demoCA/cacert.pem -days 3650 2>/dev/null
echo "done"
echo -n "generate certificate and sign request ... "
echo -e ".\n.\n.\n.\n.\nkolab\n.\n\n\n" | \
@@@kolab_prefix@@@/bin/openssl req -new -nodes \
-keyout key.pem -out newreq.pem \
-days 3650 2>/dev/null
cat newreq.pem key.pem > new.pem
echo "done"
echo -n "sign certificate with newly created CA ... "
echo -e "y\ny\n" | @@@kolab_prefix@@@/bin/openssl ca \
-policy policy_anything \
-out cert.pem -infiles new.pem 2>/dev/null 1>&2
sleep 2
echo "done"
cp demoCA/cacert.pem @@@kolab_prefix@@@/etc/kolab/CAcert.pem
cp key.pem @@@kolab_prefix@@@/etc/kolab/key.pem
cp cert.pem @@@kolab_prefix@@@/etc/kolab/cert.pem
cd $PWD
rm -rf $TMPDIR
echo "New certificates have been installed under \
@@@kolab_prefix@@@/etc/kolab/"