Cacert is a certification authority that provides free certificates, i guess using them is much better that having your own local CA.
We need to download the cacert root certificate and install it on the server
# mkdir /etc/pki/postfix # wget -nv https://www.cacert.org/certs/root.crt --no-check-certificate -O /etc/pki/postfix/root.crt * Verify the certificate
# openssl x509 -in /etc/pki/postfix/root.crt -text -noout
The output should look like this
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 0 (0x0)
Signature Algorithm: md5WithRSAEncryption
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
Not Before: Mar 30 12:29:49 2003 GMT
Not After : Mar 29 12:29:49 2033 GMT
Subject: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (4096 bit)
Modulus (4096 bit):
00:ce:22:c0:e2:46:7d:ec:36:28:07:50:96:f2:a0:
33:40:8c:4b:f1:3b:66:3f:31:e5:6b:02:36:db:d6:
7c:f6:f1:88:8f:4e:77:36:05:41:95:f9:09:f0:12:
cf:46:86:73:60:b7:6e:7e:e8:c0:58:64:ae:cd:b0:
ad:45:17:0c:63:fa:67:0a:e8:d6:d2:bf:3e:e7:98:
c4:f0:4c:fa:e0:03:bb:35:5d:6c:21:de:9e:20:d9:
ba:cd:66:32:37:72:fa:f7:08:f5:c7:cd:58:c9:8e:
e7:0e:5e:ea:3e:fe:1c:a1:14:0a:15:6c:86:84:5b:
64:66:2a:7a:a9:4b:53:79:f5:88:a2:7b:ee:2f:0a:
61:2b:8d:b2:7e:4d:56:a5:13:ec:ea:da:92:9e:ac:
44:41:1e:58:60:65:05:66:f8:c0:44:bd:cb:94:f7:
42:7e:0b:f7:65:68:98:51:05:f0:f3:05:91:04:1d:
1b:17:82:ec:c8:57:bb:c3:6b:7a:88:f1:b0:72:cc:
25:5b:20:91:ec:16:02:12:8f:32:e9:17:18:48:d0:
c7:05:2e:02:30:42:b8:25:9c:05:6b:3f:aa:3a:a7:
eb:53:48:f7:e8:d2:b6:07:98:dc:1b:c6:34:7f:7f:
c9:1c:82:7a:05:58:2b:08:5b:f3:38:a2:ab:17:5d:
66:c9:98:d7:9e:10:8b:a2:d2:dd:74:9a:f7:71:0c:
72:60:df:cd:6f:98:33:9d:96:34:76:3e:24:7a:92:
b0:0e:95:1e:6f:e6:a0:45:38:47:aa:d7:41:ed:4a:
b7:12:f6:d7:1b:83:8a:0f:2e:d8:09:b6:59:d7:aa:
04:ff:d2:93:7d:68:2e:dd:8b:4b:ab:58:ba:2f:8d:
ea:95:a7:a0:c3:54:89:a5:fb:db:8b:51:22:9d:b2:
c3:be:11:be:2c:91:86:8b:96:78:ad:20:d3:8a:2f:
1a:3f:c6:d0:51:65:87:21:b1:19:01:65:7f:45:1c:
87:f5:7c:d0:41:4c:4f:29:98:21:fd:33:1f:75:0c:
04:51:fa:19:77:db:d4:14:1c:ee:81:c3:1d:f5:98:
b7:69:06:91:22:dd:00:50:cc:81:31:ac:12:07:7b:
38:da:68:5b:e6:2b:d4:7e:c9:5f:ad:e8:eb:72:4c:
f3:01:e5:4b:20:bf:9a:a6:57:ca:91:00:01:8b:a1:
75:21:37:b5:63:0d:67:3e:46:4f:70:20:67:ce:c5:
d6:59:db:02:e0:f0:d2:cb:cd:ba:62:b7:90:41:e8:
dd:20:e4:29:bc:64:29:42:c8:22:dc:78:9a:ff:43:
ec:98:1b:09:51:4b:5a:5a:c2:71:f1:c4:cb:73:a9:
e5:a1:0b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
X509v3 Authority Key Identifier:
keyid:16:B5:32:1B:D4:C7:F3:E0:E6:8E:F3:BD:D2:B0:3A:EE:B2:39:18:D1
DirName:/O=Root CA/OU=http://www.cacert.org/CN=CA Cert Signing Authority/emailAddress=support@cacert.org
serial:00
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 CRL Distribution Points:
URI:https://www.cacert.org/revoke.crl
Netscape CA Revocation Url:
https://www.cacert.org/revoke.crl
Netscape CA Policy Url:
http://www.cacert.org/index.php?id=10
Netscape Comment:
To get your own certificate for FREE head over to http://www.cacert.org
Signature Algorithm: md5WithRSAEncryption
28:c7:ee:9c:82:02:ba:5c:80:12:ca:35:0a:1d:81:6f:89:6a:
99:cc:f2:68:0f:7f:a7:e1:8d:58:95:3e:bd:f2:06:c3:90:5a:
ac:b5:60:f6:99:43:01:a3:88:70:9c:9d:62:9d:a4:87:af:67:
58:0d:30:36:3b:e6:ad:48:d3:cb:74:02:86:71:3e:e2:2b:03:
68:f1:34:62:40:46:3b:53:ea:28:f4:ac:fb:66:95:53:8a:4d:
5d:fd:3b:d9:60:d7:ca:79:69:3b:b1:65:92:a6:c6:81:82:5c:
9c:cd:eb:4d:01:8a:a5:df:11:55:aa:15:ca:1f:37:c0:82:98:
70:61:db:6a:7c:96:a3:8e:2e:54:3e:4f:21:a9:90:ef:dc:82:
bf:dc:e8:45:ad:4d:90:73:08:3c:94:65:b0:04:99:76:7f:e2:
bc:c2:6a:15:aa:97:04:37:24:d8:1e:94:4e:6d:0e:51:be:d6:
c4:8f:ca:96:6d:f7:43:df:e8:30:65:27:3b:7b:bb:43:43:63:
c4:43:f7:b2:ec:68:cc:e1:19:8e:22:fb:98:e1:7b:5a:3e:01:
37:3b:8b:08:b0:a2:f3:95:4e:1a:cb:9b:cd:9a:b1:db:b2:70:
f0:2d:4a:db:d8:b0:e3:6f:45:48:33:12:ff:fe:3c:32:2a:54:
f7:c4:f7:8a:f0:88:23:c2:47:fe:64:7a:71:c0:d1:1e:a6:63:
b0:07:7e:a4:2f:d3:01:8f:dc:9f:2b:b6:c6:08:a9:0f:93:48:
25:fc:12:fd:9f:42:dc:f3:c4:3e:f6:57:b0:d7:dd:69:d1:06:
77:34:0a:4b:d2:ca:a0:ff:1c:c6:8c:c9:16:be:c4:cc:32:37:
68:73:5f:08:fb:51:f7:49:53:36:05:0a:95:02:4c:f2:79:1a:
10:f6:d8:3a:75:9c:f3:1d:f1:a2:0d:70:67:86:1b:b3:16:f5:
2f:e5:a4:eb:79:86:f9:3d:0b:c2:73:0b:a5:99:ac:6f:fc:67:
b8:e5:2f:0b:a6:18:24:8d:7b:d1:48:35:29:18:40:ac:93:60:
e1:96:86:50:b4:7a:59:d8:8f:21:0b:9f:cf:82:91:c6:3b:bf:
6b:dc:07:91:b9:97:56:23:aa:b6:6c:94:c6:48:06:3c:e4:ce:
4e:aa:e4:f6:2f:09:dc:53:6f:2e:fc:74:eb:3a:63:99:c2:a6:
ac:89:bc:a7:b2:44:a0:0d:8a:10:e3:6c:f2:24:cb:fa:9b:9f:
70:47:2e:de:14:8b:d4:b2:20:09:96:a2:64:f1:24:1c:dc:a1:
35:9c:15:b2:d4:bc:55:2e:7d:06:f5:9c:0e:55:f4:5a:d6:93:
da:76:ad:25:73:4c:c5:43
# cd /etc/pki/postfix # openssl req -nodes -days 700 -newkey rsa:1024 -keyout key.pem -out req.pemThe signing request is in the file req.pem
Next you need to login in to the cacert.org website and go to “server certificates” then “New” and paste the contents of req.pem in the text box provided then click submit. A certificate will be generated
Copy the certificate and paste into the file /etc/pki/postfix/server.pem