In the past year, GeoTrust has stepped up their game on certificate security, possibly because Google has done the same with its Chrome browser security (phasing out the SHA-1 algorithm). But what they forgot to do was tell everyone where the intermediate CAs (certificate authorities) could be found when they emailed out renewed certificates this year. This is probably partly my ISP's fault for not caring too much when renewing client certificates, but I didn't get any instructions, and my recollection of how to install all this was a bit rusty after not touching my configurations for years. So here's a refresher and reminder on what steps to take to install the new certificate and intermediates for a seamless security-alert-free experience.
My current setup as of this writing is this:
- Ubuntu Linux OS
- Apache Webserver (Two SSL Ports)
- Postfix / Dovecot Mail Server (With StartTLS/SSL Configurations)
I'm not going to go into too much detail on how I got this configured initially--it was a massive effort to learn and get it perfect the first time around; the kind where you're about sick of dealing with it when it's finally settled, working and passes most security scans--but I am going to include some basic certificate-related configurations and how to make this an easy install each year you renew your certificate(s).
For me, and any other individual/small business, buying certificates is costly and a lot of time wasted. I'm loving the new efforts by Let's Encrypt to make SSL free, automated and open. It's not there yet, but we need an authority that doesn't cost us tons of money every year. I'm quite sick of how every authority is essentially price-fixing the hell out of the little man.
Anyway, I have a single certificate setup to save me time and money because my websites are a hobby, not money makers (yet). Rather than buying certificates and IP addresses for every service and website, I've issued the same certificate to secure all of them until I can afford to invest more in my projects. So lets get down to how to set these things up.
This is my baseline, the main use for my certificate. I only have one IP, so I can only use one shared domain for SSL (port 443) access. So I've got some hairiness to my setup, which I plan to fix pretty soon, but it's working for now. This is also where my certificates live on my system.
I have a folder under my apache2 setup called certs.d where I keep all my CSRs, CAs and certs. This keeps me organized as to where it all is. For each VirtualHost that uses SSL, I simply use an Include reference to a configuration file in this folder. Something like this:
The next thing I have are key, chain and certificate folders that store my private key, intermediate CA and site certificate. I reference these in my shared certificate configuration files. In addition, I'll create a symbolic link to the current valid certificates and use that for my configuration so that I don't have to keep modifying my configuration every year. Instead, I'll update the symlink. You don't need to do this, but I like keep my work within as few systems as possible--the filesystem in this case. Here's an example shared configuration:
SSLCertificateFile certs.d/certs/activeCert.pem SSLCertificateKeyFile certs.d/keys/activeKey.pem SSLCACertificateFile certs.d/chains/activeChain.crt
At this point, I simply have one thing in my SSL VirtualHosts settings. I also have another configuration that stores my SSLCipherSuite and other advanced SSL settings. Click there to get some tips on recommended configurations.
Once you're all configured with Apache and your GeoTrust certificates, I'd highly recommend you head over to Qualys' SSL Server Test and test against your own server to ensure it passes as many tests as possible (A/A+ score). In addition, be sure your server's certificates are delivered correctly by using GeoTrust's SSL Toolbox Certificate Check.
For some additional information on downloading the intermediate and other CAs (Certificate Authorities), check GeoTrust's knowlegebase. They have a page with instructions on how do identify and download their intermediate CAs, including their new SHA-2 and DV SSL CA G4.
The next thing I have is a secure mail server. You can only have one certificate issued per Port number, so reusing my certificate for my mail server is no problem because it runs on different ports (443 for Apache and 465 for Postfix). So the next step is to configure Postfix to use the same certificate as before. To save time, I can link this to the same certificate/key/CA files used by Apache. This is similar to how I do it in the main.cf:
smtpd_tls_cert_file = /etc/apache/cert.d/certs/activeCert.pem smtpd_tls_key_file = /etc/apache/cert.d/keys/activeKey.pem smtpd_tls_CAfile = /etc/apache/cert.d/chains/activeChain.crt
With that in place, a few other TLS settings and such, you should have a working StartTLS/SSL setup for the SMTP protocol when other servers request to send mail to you or when you wish to send out mail. Once it's all running, head back to GeoTrust to test Postfix by checking yourmailserver:465 or whatever secure SMTP port you're using these days.
Dovecot IMAP/POP3 Server
Finally, we need to do the same thing for Dovecot, which handles IMAP and POP3 mail retrieval over StartTLS/SSL. To configure Dovecot, I do something similar to Postfix. So here's how to achieve the same shared certificate setup there:
ssl_cert_file = /etc/apache/cert.d/certs/activeCert.pem ssl_key_file = /etc/apache/cert.d/keys/activeKey.pem ssl_ca_file = /etc/apache/cert.d/chains/activeChain.crt
That's about all there is to it. Once you have them all configured and started, be sure to check back into GeoTrust's SSL Toolbox and check the certificates for Dovecot by testing yourmailserver.com:993 or whatever secure IMAP and/or POP3 port number you're using.
So there you have it, a simple single-certificate setup for Apache, Postfix and Dovecot. If you'd like some more details or have some recommendations, let me know and I will consider adding them here.