When you install a Perfect Server based on Centos and ISPConfig v3.x, the system / 'installer' creates for the components self-signed certificates. All these certificates will generate different warnings in your browser, mail clients etc. So time to eliminate those warnings.
First I needed to find out where all those certificates are located, and what there formats are. In my case, there are four services that use SSL/TLS in some form;
- Postfix SMTP service
- Courier IMAP service
- http / Apache2 webservice
- ISPConfig (virtual website
Checking the configuration files will reveal their locations.
In my case:
SMTP Certificaat:
/etc/postfix/smtpd.cert
/etc/postfix/smtpd.keyCourier IMAP
TLS_CERTFILE=/usr/lib/courier-imap/share/imapd.pem
TLS_TRUSTCERTS=/etc/pki/tls/cert.pemApache:
/etc/pki/tls/certs/localhost.crt
/etc/pki/tls/private/localhost.keyISPConfig
/usr/local/ispconfig/interface/ssl/ispserver.crt
/usr/local/ispconfig/interface/ssl/ispserver.key
All certs are in the PEM / BASE64 format, and none of the private key files are password protected (how's that for safety :-) ). The Courier certificate is a PEM file that contains both the private key and the public key in one (text) file with the following format:
-----BEGIN RSA PRIVATE KEY-----
[...]
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
Just check the original files for the actual format.
I just replaced the original files (after copying them to a .org file just to be sure) with the new versions. Restarting the services made sure that the services served the new certificates.
I created my certificates with the excellent open-source tool XCA in which I also maintain my own Certificate Authority. The advantage is that I only need to trust my own CA, and all certificated created by will be trusted. Additional advantage of doing it yourself is that you can add as many Subject Alternative Names to the certificate as you like.