If you run your own website, email server or other services like OwnCloud at home then you may find yourself in need of a SSL certificate. When you install Apache, it generates a self-signed "snakeoil" certificate that can be used to encrypt your session. However, while this certificate is useful for testing purposes, it falls short in a couple of important ways:
- The snakeoil certificate has not been signed by an authority that your browser trusts, so your browser will throw an error when you connect.
- The common name on the certificate probably doesn't match your domain name. Another browser error.
- Short of manually inspecting the certificate's checksum, you have no guarantee that you are communicating with your own server - it could easily be an imposter using another self-signed certificate.
This tutorial will show you how to generate your own SSL certificate, and get it signed by the community driven SSL certificate signing authority CAcert. Once you have imported the certificate into your browser or into your operating system's root filesystem, your computer will automatically verify the identity of the server and you will enjoy error-free secure communications. Oh, and CAcert is free of charge!
Before we start: a quick note about filename extensions
As far as I can tell, Linux is not at all bothered about what you name your certificate and certificate key files. You could use the .magic extension for your cert if you liked and it would probably still work. From what I've read, file name extensions seem to only matter on Windows, whereas on Linux they're just descriptive. However, it's probably worth noting that there are lots of different types of certificate encoding styles, which have been summarised neatly here. Some extensions such as .pem and .der imply that the file is encoded in a certain way. Since we are able to choose whatever extension we like, I've chosen the following:
- .csr for the certificate signing request (CSR)
- .crt for the signed certificate file
- .key for the key file
These have the benefit of not implying any particular encoding. The first time I did this on my Pi, I used .pem for everything and got in a muddle, forgetting which file was which. This should make things much easier!
Generate your certificate
We are going to use a two step process to generate your certificate. First, run this command, which will generate a private key:
openssl genrsa -out <filename for your private key>.key 4096
Now we will generate a new certificate signing request (CSR) from your private key:
openssl req -new -key <filename for your private key>.key -out <filename for the CSR>.csr
This stage requires user input, a series of questions about what information you would like to be on the certificate. Since CAcert is an automated service, it discards most of the information on the certificate (so that it doesn't certify the information it is unable to verify), leaving only the essentials: the email address and the common name. Here is the information you will be asked for:
- Country Name (use a two letter code e.g. GB)
- State or Province Name (e.g. Surrey)
- Locality Name (e.g. Guildford)
- Organisational Name (e.g. Sam Hobbs' Personal Website)
- Organisational Unit Name (e.g. Website)
- Common Name (your domain name - see note below - e.g. samhobbs.co.uk)
- Email Address (the contact address for your administrator e.g. firstname.lastname@example.org)
Don't set a password - leave it blank when asked. We will keep the key file private by setting appropriate permissions. The common name is important here: most websites rewrite
https://www. or vice versa. If your website is available at
https://yourdomain.com then you should use
yourdomain.com as the common name; if your website is at
https://www.yourdomain.com then your common name should be
*.yourdomain.com (the wildcard will match any subdomain, meaning you can use the same cert for
https://www.yourdomain.com, which is handy). Personally, I use a wildcard certificate. If you were paying for a normal certificate authority to sign your certificate then a wildcard cert would be more expensive, but CAcert is of course free so you might as well take advantage of it!
Install the CAcert root certificate
Every operating system comes pre-loaded with a set of certificates that are seen as trusted by the OS. This includes certificates from verisign and other big name certificate signing authorities. Very few OSes trust CAcert by default, although a couple of Linux distributions do. The CAcert website provides https using a certificate that was signed by the CAcert root. Since you are going to be sending sensitive information to the website during registration, it makes sense to install the CAcert root certificate now so that you can use the site without browser errors. To install the CAcert root certificate from the commandline, you can use these commands:
cd ~ wget http://www.cacert.org/certs/root.txt sudo cp root.txt /etc/ssl/certs/cacert-root.crt
Those commands will download the CAcert root certificate into your home directory, and then copy it to your certificates folder. If you look in your certs directory (
ls -l /etc/ssl/certs) you will see that all of the certs have sensible certificate names like GeoTrust_Global_CA.pem, but there are also a load of symbolic links with names like 2c543cd1.0 that point to the certificate files with the human readable names. Those symlink names like 2c543cd1.0 are hashes of the certificate files, and are there to enable programs on your computer to quickly check whether the root certificate is in your computer's certificate directory or not. Some programs manage to recognise that the certificate is installed just fine without the symlinks, but some of them do not. Openssl is one of the ones that doesn't. So, we need to make use of one more command to create a symlink for the newly installed cacert-root.crt (this will also refresh the symlinks for the rest of the certs in the folder):
sudo c_rehash /etc/ssl/certs
Now that the CAcert root cert is installed, almost all software on your system will recognise it (chromium, rekonq etc.). The exception to this is Mozilla software such as the Firefox web browser and Thunderbird email client. Mozilla software has its own certificate database, which has both advantages and disadvantages. For example, if you're using a system where you don't have admin rights, you can still easily import the CAcert root to Firefox. The disadvantage is that if you are an administrator, you can't do a one-stop installation: you have to import it separately to Firefox. To install the certs, open Firefox and navigate to the root certificate downloads page and click on the links for the class 1 and class 3 .pem encoded root certificates. You will be prompted to decide whether to import them or not. To install to Android, follow this tutorial of mine.
Required Email Address
CAcert verifies that you own the domain it is signing a certificate for by sending a verification link to one of the following email addresses:
You therefore need to be able to receive email to one of these addresses. You can set up your own email server, or failing that some domain name registrars provide email forwarding capabilities. If you used my tutorials to set up your email server then you may want to add some aliases to your server so that emails to those addresses above are delivered to your username. Here's how: Edit
/etc/aliases and add:
postmaster: yourusername webmaster: yourusername root: yourusername
Now run this command to load the new aliases:
And reload Postfix:
sudo service postfix reload
Submitting the CSR to CAcert
First things first, you will need to go to the CAcert website and create an account: Please note that CAcert has signed its own SSL certificate, so your browser may throw an error if you haven't imported the root cert yet. After you have created your account and logged in, navigate to server certificates --> new. On your server, use
cat to print the the Certificate Signing Request (CSR) you created earlier and then copy & paste it into the box:
cat <filename for the CSR>.csr
...and click submit. The result will be displayed on screen, and you will also be emailed the certificate. Copy and paste it into a file with the .crt extension, e.g. using nano:
sudo nano <path to your cert>.crt
...then CTRL+SHIFT+V to paste, CTRL+X, save when prompted. Note: the BEGIN CERTIFICATE and END CERTIFICATE lines are part of the cert, so copy those too!
Certificate File Locations
Assuming your certificates and key file are in your home directory, it's a good idea to move them to the proper locations
- Your key file should be stored at
- Your certificate file should be stored at
- You can get rid of your CSR, or keep it for reference if you like.
Permissions & Ownership
Your key file is secret. It should be owned by root, and your permissions should be set so that only the root user can read and write to it. This command will set it to be owned by root:
sudo chown root:root /etc/ssl/private/samhobbs.key
And this command will set it so that only the root user can read and modify it:
sudo chmod 600 /etc/ssl/private/samhobbs.key
Most services like Apache, Postfix etc. require root privileges to start up. They read the certs when they start and store them in RAM, so that they can still use them when they drop to their normal users ( e.g. www-datafor Apache). Unlike your key file, your signed certificate file is not a secret (it is sent to users when establishing a secure session). You want all users to be able to read the cert, but only the root user to have write access to it. As before, this command will set it to be owned by root:
sudo chown root:root /etc/ssl/certs/samhobbs.crt
And this command will set it to be readable by everyone, but only modified by root:
sudo chmod 644 /etc/ssl/certs/samhobbs.crt
Some common SSL cert configuration parameters: Apache, Postfix, Dovecot
This section is a quick reference for where to find SSL parameters for Apache, Postfix and Dovecot.
You can tell Apache to use a specific certificate file in your SSL virtualhost configuration (e.g
/etc/apache2/sites-available/default-ssl) with these parameters:
SSLEngine on SSLCertificateFile /etc/ssl/certs/samhobbs.crt SSLCertificateKeyFile /etc/ssl/private/samhobbs.key
Then reload Apache:
sudo service apache2 reload
Postfix' SSL cert configuration can be found in
...and reload Postfix:
sudo service postfix reload
Dovecot's SSL configuration is in
ssl_cert = </etc/ssl/certs/samhobbs.crt ssl_key = </etc/ssl/private/samhobbs.key
NB: the < at the start of the path isn't an error, if you miss it out Dovecot won't load. Reload dovecot:
sudo service dovecot reload
Hopefully you found that useful! If you have anything to add or a question, please feel free to leave a comment!
Thank you for all yours tutorials !
Here a question :
In the "Certificate File Locations" chapter, are you sure of :
Your certificate file should be stored at /etc/ssl/certs/samhobbs.csr
Would it be
Your certificate file should be stored at /etc/ssl/certs/samhobbs.crt (or pem)
Certificate File Locations,
How do i move the files to the directory?
sudo mv /path/to/current/location /path/to/desired/locationSam
Just a heads up. CACert requires that you first add a domain before it will allow you to request a server certificate.
Fantastic articles by the way!!!!. Thanks!!!
Hi Sam I have a problem during the registration at the CACert site, the error is:
"The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as greylisting. Please try again in a few minutes.
451 4.3.5 : Helo command rejected: Server configuration error"
And I've also noticed that i can not receive email from external domains on my Pi server.
Do you have any suggestion?
At the moment I'm using a free no-ip account for the dns.
smtpd_helo_restrictionslist, make sure you created and postmapped the
/etc/postfix/helo_accessfile and that it contains no spelling mistakes? Sam
Thank you Sam I've fixed the issue in the main.cf file of postfix. Now I've installed a cert but there's a new error on squirrel mail. I can't accesso to my mail, the error is: ERROR: Connection dropped by IMAP server.
So I've checked the dovecot service whit this line of code:
dovecot -c /etc/dovecot/dovecot.conf
and the message that appears is: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 13: ssl_key: Can't open file /etc/ssl/private/serverkey.key: Permission denied
sudo- these daemons start up as root and read those key files into memory before dropping privileges.
sudo dovecot -c /etc/dovecot/donvecot.confwill give you what you were looking for. For the record, what was the error you fixed in the helo access restrictions? I've never seen that one before so it would be good to know exactly what caused it. Sam
The error was a mistake of mine, I've putted a semicolon after the check_helo_access like this
The imap error still remains when i try to login, so i've checked the error log file and this is the issue:
revolutionapp dovecot: imap-login: Fatal: Can't load ssl_cert: error:0906D066:PEM routines:PEM_read_bio:bad end line
I've fixed this mistake of concatenation into the cert file:
-----END CERTIFICATE----------BEGIN CERTIFICATE----- in
Thank you sam for your support
Its irronic that when I try and view this page as a HTTPS I am getting an invalid certificate error... lol
I have followed your instructions on installing owncloud and it all works fine - its up to version 8.2 now.
However, I cannot get HTTPS to go. I followed the instructions here and I get a certificate error in my internet explorer (address bar goes red etc.)
I have create keys, got he cacert signed etc. downloaded the ca root cert as instructed and I am now stuck.
On Friday, 29th January 2016, the long-planned re-signing of CAcert’s root certificate will finally take place. This action has been overdue for quite some time now as several browser and OS vendors have dropped support for MD5-signed certificates or otherwise made such certificates unusable.Since it's just a few days, your best bet is probably just to wait, so you may find it starts working after then (you may need to re-import the root cert after that date). Sam
According to that page, the resigning has been delayed, and there is no new date. As of 9th April https://www.cacert.org itself shows invalid certificate, and amusingly blogs.cacert.org gives an ssl protocol error, so an even more basic problem there.
So it seems to me that any cacert certificate is currently not worth the electrons it's printed on ;-)
Sam thanks for a very clear and easy to follow post.
I currently secure my RPI on my Lan as I use it to control some lighting and other things.
I use a snake oil cert but Safari doesn't like my cert when trying to do secure web sockets wss.
I also read that after After November 1, 2015 IP/Intranet certs won't be trusted.
I'm a cert nobo and not sure how to proceed any pointers?
Thanks in advance
CAcert only issues certificates for publicly registered DNS domains, it's not possible to get certificates for IP adresses or internal domains (like xxx.local, read FAQ/NoDomainName for further explanations).Basically, CAcert can only sign a cert for you if it can validate that you own the domain name. Since .local doesn't resolve outside your LAN it can't do the automated check (plus, many other people have a .local domain too, which you don't control, so CAcert could never give you a cert because it would give you a cert for other peoples' local domains). What you probably need to do is create your own root cert for your local domain and use it to sign a cert for the Pi, and then install your root cert into all of the client machines. I take it you're using a Mac (you said you were using Safari?) Not sure what you mean by the intranet certs not being trusted, do you have a link to what you were reading? Sam
Sam thanks, found the solution to mobile safari either email or provide link to cert and then install.
This artical talks of changes that come in to effect Nov 1 2015
Without unique domain names that can be resolved in the context of the public internet, it is impossible for a Certification Authority to issue a trustworthy certificate. After all, it would work for any server with that name and that creates a security risk. For this reason, the leading Certification Authorities, including Symantec, that make up the Certification Authority/Browser Forum (CA/B Forum) have decided to cease issuing certificates without a Fully Qualified Domain Name (FQDN).So, when they say that "SSL certificates on intranet sites with internal server names...may not work from 1 November 2015" what they actually mean is that if one of those certificate authorities did issue you with a certificate in the past, they won't re-issue it. This is a non-issue for CAcert because I don't think they have ever done this. Notice that the article you linked also lists my solution (generate your own root certificate and use it to sign certificates for your local domain, and then install your root cert on each client):
Use an enterprise/private CA to issue and trust certificates for non‐unique namesSam
Hi, in "/etc/dovecot/conf.d/10-ssl.conf" at the top..
The "ssl = yes" is commented out, should it be that or should I uncomment it? :)
"Country Name (use a two letter code e.g. GB)
State or Province Name (e.g. Surrey)
Locality Name (e.g. Guildford)
Organisational Name (e.g. Sam Hobbs' Personal Website)
Organisational Unit Name (e.g. Website)
Common Name (your domain name - see note below - e.g. samhobbs.co.uk)
Email Address (the contact address for your administrator e.g. email@example.com)"
After this it asked me to type a password and now I don't think it can access it.
Any way to remove the password?
Where should I generate the certificate? I have done this many many times but I ain't getting through.. I think it have something to do with the change of where I am when connecting with FTP..
Haha sorry.. I don't understand myself what I meant. But when I installed the FTP server I took the opportunity to change the directory to another when I connect with FTP and apparently it changes even when I connect using SSH.