1. Create a certificate directory and go there: # mkdir /etc/mail/cert # cd /etc/mail/cert 2. Create a key for the server, giving a new pass phrase when prompted: # openssl genrsa -des3 -out server.key 1024 # openssl rsa -in server.key -out server.key.open 3. Create a clear-text copy of the key (so it is not pass-phrase-protected), giving the pass phrase when asked: # openssl req -new -x509 -days 3650 -key server.key.open -out server.crt 4. Answer the X.509v3 questions appropriately. 5. Make the files root-read-only: # chmod 600 server.* 6. Edit /etc/mail/sendmail.cf and add these lines. You should find commented-out versions of these settings in the file, maybe about a third of the way through it. O CACertPath=/etc/mail/cert O CACertFile=/etc/mail/cert/server.crt O ServerCertFile=/etc/mail/cert/server.crt O ServerKeyFile=/etc/mail/cert/server.key.open O ClientKeyFile=/etc/mail/cert/server.crt 7. Restart sendmail: # /etc/init.d/sendmail restart Alternative method, using sendmail.mcYou can modify sendmail.mc instead of sendmail.cf and have your changes persist through make runs. Thanks to Dave Miller for pointing this out: dnl # define(`confCACERT_PATH', `/etc/mail/cert')dnl define(`confCACERT', `/etc/mail/cert/server.crt')dnl define(`confSERVER_CERT', `/etc/mail/cert/server.crt')dnl define(`confSERVER_KEY', `/etc/mail/cert/server.key.open')dnl define(`confCLIENT_KEY', `/etc/mail/cert/server.crt')dnl dnl# |
SSL Certificate for Your Need > SSL Certificate for Mail Servers (MTA) > SSL Certificate for Sendmail >