I’m working on a PHP encryption library called Kickass Crypto.
So I was getting errors like this in syslog:
Jul 6 17:35:53 integrity systemd: Started Dovecot IMAP/POP3 email server. Jul 6 17:35:53 integrity dovecot: doveconf: Fatal: Error in configuration file /etc/dovecot/conf.d/10-ssl.conf line 79: ssl_dh: Can't open file /etc/dovecot/dh.pem: No such file or directory Jul 6 17:35:53 integrity systemd: dovecot.service: Main process exited, code=exited, status=89/n/a Jul 6 17:35:53 integrity systemd: dovecot.service: Failed with result 'exit-code'.
This failure was affecting other parts of my system (i.e. postfix SASL).
The solution was to generate the dh.pem file:
root@integrity:/etc/dovecot # openssl dhparam -out dh.pem 4096
To generate an SSL private key for use with MySQL/MariaDB and PDO:
openssl genrsa -out client-key.pem 4096
From The Most Common OpenSSL Commands to view a certificate:
openssl x509 -text -noout -in certificate.crt
CSR generation for PositiveSSL and PositiveSSL WildCard with Apache2/OpenSSL see: CSR Generation: Using OpenSSL (Apache w/mod_ssl, NGINX, OS X):
openssl req -nodes -newkey rsa:2048 -keyout myserver.key -out server.csr
To generate the CA bundle see this article:
cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > your_domain.ca-bundle
Found a list of Useful OpenSSL Commands today. Mostly I wanted to get the subject out of a cacert.pem file which I wasn’t sure of:
openssl x509 -text -noout -in hostcert.pem
Found a helpful article today, The Most Common OpenSSL Commands.
The particular command I needed wasn’t listed there though. What I needed to do was examine the contents of my Certificate Revocation List (CRL) certificate. I had a problem connecting to my website because it was complaining about an expired certificate and the culprit was indeed the CRL as I discovered when I ran:
$ openssl crl -inform CER -in ca.crl -text -noout
Reading the OpenSSL FAQ I learned that you can issue the following command to get a list of the acceptable client certificate CA names from a server:
openssl s_client -connect test.jj5.net:443 -prexit
Obviously you replace ‘test.jj5.net’ with whatever server you’re interested in.