Create your key (mail.saic.key) and your request (mail.saic.csr):
openssl req -new -newkey rsa:4096 -nodes -subj ‘/CN=mail.saic.it/O=SAIC, Inc./C=IT/ST=Italy/L=Viadana’ -keyout mail.saic.key -out mail.saic.csr
Go to this website and follow the istruction for have back the certificate for your Common Name (mail.saic.it) and the authority certificate :
Certificate Authority https://www.sslforfree.com
I configured my dns.
I set all file permission
chmod 444 mail.saic.*
then vim /etc/postfix/main.cf
smtp_tls_key_file = /etc/ssl/certs/mail.saic.key
smtp_tls_cert_file = /etc/ssl/certs/mail.saic.crt
smtp_tls_CAfile = /etc/ssl/certs/saic.sslforfree.ca
here the console for renew the certificate
great!!
It can be useful to check a certificate and key before applying them to your server. The following commands help verify the certificate, key, and CSR (Certificate Signing Request).
Check a certificate
Check a certificate and return information about it (signing authority, expiration date, etc.):
openssl x509 -in server.crt -text -noout
Check a key
Check the SSL key and verify the consistency:
openssl rsa -in server.key -check
Check a CSR
Verify the CSR and print CSR data filled in when generating the CSR:
openssl req -text -noout -verify -in server.csr
Verify a certificate and key matches
These two commands print out md5 checksums of the certificate and key; the checksums can be compared to verify that the certificate and key match.
openssl x509 -noout -modulus -in server.crt| openssl md5 openssl rsa -noout -modulus -in server.key| openssl md5
Self Signed Certificate : Commands
Create a private key
openssl genrsa -out server.key 4096
Generate a new private key and certificate signing request
openssl req -out server.csr -new -newkey rsa:4096 -nodes -keyout server.key
Generate a self-signed certificate
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout server.key -out server.crt
Generate a certificate signing request (CSR) for an existing private key
openssl req -out server.csr -key server.key -new
Generate a certificate signing request based on an existing certificate
openssl x509 -x509toreq -in server.crt -out server.csr -signkey server.key
Remove a passphrase from a private key
openssl rsa -in server.pem -out newserver.pem
Parse a list of revoked serial numbers
openssl crl -inform DER -text -noout -in list.crl
Check a certificate signing request (CSR)
openssl req -text -noout -verify -in server.csr
Check a private key
openssl rsa -in server.key -check
Check a public key
openssl rsa -inform PEM -pubin -in pub.key -text -noout
openssl pkey -inform PEM -pubin -in pub.key -text -noout
Check a certificate
openssl x509 -in server.crt -text -noout
openssl x509 -in server.cer -text -noout
Check a PKCS#12 file (.pfx or .p12)
openssl pkcs12 -info -in server.p12
Verify a private key matches an certificate
openssl x509 -noout -modulus -in server.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5
openssl req -noout -modulus -in server.csr | openssl md5
Display all certificates including intermediates
openssl s_client -connect www.paypal.com:443
Convert a DER file (.crt .cer .der) to PEM
openssl x509 -inform der -in server.cer -out server.pem
Convert a PEM file to DER
openssl x509 -outform der -in server.pem -out server.der
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in server.pfx -out server.pem -nodes
Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12)
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt -certfile CACert.crt
Convert private key into pem
openssl rsa -in private.key -text > private.pem
Verifying that a Certificate is issued by a CA
$ openssl verify -verbose -CAfile cacert.pem server.crt
server.crt: OK
my procedure to create a new certificate:
create key a and request :
openssl req -out ispconfig.saic.csr -new -newkey rsa:4096 -nodes -keyout ispconfig.saic.key
chmod 444 ispconfig.saic.*
put the cst into the web site to obtain crt certificate + ca certificate
convert the key : openssl rsa -in ispconfig.saic.key -text > ispconfig.saic.pem (when pem is request)
my procedure to renew