CACert and GnuTLS

I haven’t seen this before, so I thought I’d documment how to generate a server TLS certificate using CACert. This can be useful if you are running a mail or web server and easily (and cost free) want to support TLS for integrity/confidentiality. I just re-installed my secondary mail server, and tested this recipe with Exim4 with Debian. See below for a step-by-step howto.

First make sure you have the GnuTLS command line tools installed:

kniv:~# apt-get install gnutls-bin

The next step is to generate a private key:

kniv:/etc/exim4# certtool –generate-privkey –outfile exim.key
Generating a 2048 bit RSA private key…
kniv:/etc/exim4#

You can use --dsa if you want to use DSA instead of RSA, and can change the key size using --bits. The default is 2048-bit RSA which should be good enough for most people.

The next step is to generate a Certificate Request. CACert only looks at the Common Name field, so I left the rest empty. If you are using some commercial CA, you may need to enter something in the other fields.

kniv:/etc/exim4# certtool –generate-request –load-privkey exim.key –outfile exim.csr
Generating a PKCS #10 certificate request…
Country name (2 chars):
Organization name:
Organizational unit name:
Locality name:
State or province name:
Common name: kniv.josefsson.org
UID:
Enter a challenge password:
kniv:/etc/exim4#

Then login to CACert and click on ‘Server Certificates’ and then ‘New’. It will ask you to paste in the certificate request. Here you paste in the content of the exim.csr file. CACert will ask you to confirm the hostname. After that it will show a certificate in the resulting web page. Put the certificate in a file exim.crt like this:

kniv:/etc/exim4# cat>exim.crt
-----BEGIN CERTIFICATE-----
MIIEuDCCAqCgAwIBAgICegUwDQYJKoZIhvcNAQEFBQAwVDEUMBIGA1UEChMLQ0Fj
ZXJ0IEluYy4xHjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UE
AxMTQ0FjZXJ0IENsYXNzIDMgUm9vdDAeFw0wOTA0MTYxNTIyNDFaFw0xMTA0MTYx
NTIyNDFaMB0xGzAZBgNVBAMTEmtuaXYuam9zZWZzc29uLm9yZzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAOCA/9NCraz72OG9c41w0aPenWZcdyiwI+OZ
2drOFHAQf0y9ihKZtZSkMJHHQBIdYwQPvaXuvzWJG6leaIeed4/Er/7BMvN4NqhU
r28qPv5HHCkGEKfUmmc5+sorYSCAgsEJU5SITIjpeSZqcL07hib+Mj0PUUkcVRZU
Jk7WHMaHFUZ1gvbYHEvk9C29CS/yq6SqAWdLwY8FRBHW9XvQa+zVp9j+ZecwS87i
NjzCMI13NAMEBanEc4LKuG2bN0EGGbceyd91YnCxQNDSiXrm9GvAfboidKmNmgAI
LJqAy3gXCCu0BXHDtJut8Z6mOz6gu5bFeLV3jARk+/CHVXypi7sCAwEAAaOByjCB
xzAMBgNVHRMBAf8EAjAAMDQGA1UdJQQtMCsGCCsGAQUFBwMCBggrBgEFBQcDAQYJ
YIZIAYb4QgQBBgorBgEEAYI3CgMDMAsGA1UdDwQEAwIFoDAzBggrBgEFBQcBAQQn
MCUwIwYIKwYBBQUHMAGGF2h0dHA6Ly9vY3NwLmNhY2VydC5vcmcvMD8GA1UdEQQ4
MDaCEmtuaXYuam9zZWZzc29uLm9yZ6AgBggrBgEFBQcIBaAUDBJrbml2Lmpvc2Vm
c3Nvbi5vcmcwDQYJKoZIhvcNAQEFBQADggIBABi/NjSTTFvw9XLWgfm7wnnOO9LP
U8yEgrQYCNIW6Zh7zH5w+pGzvBUSMOthMnmyfLacZSYjtOknlIG2kNDZEGaWznCN
WPMjNTctarR/g2qnD329o6orxPiK6Nmtcvcrj7BTecHDcExtE7CPe+msBN4OzIj1
zQGTMjge/Ofhft4Y2vYHOJMqsrQ2vj8xnUE7yGpw7IPDFTnyIyw55lSSbnAhACkp
eLrTcyYpxs7gTcaKqTOUEmUKCFqPsGPRGP3cgIMn3MHgqdq6b0XeF8E9+4iSuHBa
yPOxeWDLV4OEZZ0ygiQBgXyZQ+aRsuLo2BTSW0UEf+/J4ZbPiZlrUPouJ5tADceN
7DDhZu3q2RtCQLTNrMaUUY0uvUS41T8iox00tphi7DsOqq/Sku8vVR370NJJmWix
ChD74seszVlU+nPsrvFGN53+1wbgvtFSOSTRol7AvaPnx2TvC215GZ3wRb/WGCm4
r2em9QsI1T+7AjSHoFoaCWfFekHa1x+q7IJoAt/uMJBrvimC0ioTUMkyfrkcLWTr
mFObSwvq6zhV+MhgtYe/nEkb45eAyy5TP3qvmrjBAKad0qUpazmRbiWsb5VLK1hO
+FR6nD1aNDyukCSO0UH6bu9BzcbET5kkybkSlslDnrNfpn16EsIlrQgZ9RrF1Dr/
a6rS5JJX1gbewzse
-----END CERTIFICATE-----
kniv:/etc/exim4# 

That’s it!

You need to finish the Exim4 configuration. Below ^D means to type ctrl-d.

kniv:/etc/exim4# chgrp Debian-exim exim.key
kniv:/etc/exim4# chmod g+r exim.key
kniv:/etc/exim4# cat>/etc/exim4/conf.d/main/000_local
MAIN_LOG_SELECTOR=+tls_cipher +tls_peerdn
MAIN_TLS_ENABLE=t
^D
kniv:/etc/exim4# update-exim4.conf
kniv:/etc/exim4# /etc/init.d/exim4 restart
Stopping MTA for restart: exim4_listener.
Restarting MTA: exim4.
kniv:/etc/exim4#

You can test the setup by using gnutls-cli. Again, ^D means ctrl-d.

kniv:/etc/exim4# gnutls-cli -s -p 25 kniv.josefsson.org
Resolving 'kniv.josefsson.org'...
Connecting to '195.238.76.189:25'...

- Simple Client Mode:

220 kniv ESMTP Exim 4.69 Thu, 16 Apr 2009 18:10:19 +0200
ehlo foo
250-kniv Hello kniv.josefsson.org [195.238.76.189]
250-SIZE 52428800
250-PIPELINING
250-STARTTLS
250 HELP
starttls
220 TLS go ahead
^D
*** Starting TLS handshake
- Successfully sent 0 certificate(s) to server.
- Ephemeral Diffie-Hellman parameters
 - Using prime: 2056 bits
 - Secret key: 2040 bits
 - Peer's public key: 2048 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate matches 'kniv.josefsson.org'.
 # valid since: Thu Apr 16 17:22:41 CEST 2009
 # expires at: Sat Apr 16 17:22:41 CEST 2011
 # fingerprint: 21:C5:4E:60:02:02:93:9A:3B:B6:F0:D6:8E:6B:6C:B0
 # Subject's DN: CN=kniv.josefsson.org
 # Issuer's DN: O=CAcert Inc.,OU=http://www.CAcert.org,CN=CAcert Class 3 Root


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
quit
221 kniv closing connection
- Peer has closed the GNUTLS connection
kniv:/etc/exim4# 

5 Replies to “CACert and GnuTLS”

  1. Thanks for the tip! Glad to know about CACert. One bit of confusion for me. The options for my ldap server are for a TLSCACertificateFile, a TLSCertificateFile, and a TLSCertificateKeyFile. I think that CACert creates the TLSCACertificateFile, but not sure where the TLSCertificateFile comes from.

    thanks,
    maria

  2. The file for the TLSCACertificateFile keyword should be the public CA certificate, which you can get from CAcert:

    http://www.cacert.org/index.php?id=3

    My writeup above explains how to generate the file for the TLSCertificateFile and TLSCertificateKeyFile files. The first is the exim.crt file and the latter is the exim.key file, respectively.