Subject: How to renew and install SSL certificate for
Virtualmin/Webmin, Apache web server, Dovecot and Postfix for a
company in Singapore on 6 Dec 2021 Mon
Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL)
Country: Singapore
Date: 6 Dec 2021 Monday Singapore Time
Type of Publication: Plain Text
Document Version: 20211206.01
DETAILED INSTRUCTIONS
=====================
Section 1: Generate Certificate Signing Request (CSR)
=====================================================
Putty/SSH into your Linux server.
# cd /root
# mkdir teo-en-ming-6dec2021
# openssl req -new -newkey rsa:2048 -nodes -keyout 2022.key -out 2022.csr
Generating a 2048 bit RSA private key
........................+++
................+++
writing new private key to '2022.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:SG
State or Province Name (full name) []:Singapore
Locality Name (eg, city) [Default City]:Singapore
Organization Name (eg, company) [Default Company Ltd]:Teo En Ming Corporation
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, your name or your server's hostname) []:*.teo-en-ming-corp.com
Email Address []:c...@teo-en-ming-corp.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# mv 2022.* teo-en-ming-6dec2021/
# cd teo-en-ming-6dec2021/
Displaying the contents of the CSR.
# cat 2022.csr
-----BEGIN CERTIFICATE REQUEST-----
Blah blah blah
-----END CERTIFICATE REQUEST-----
IMPORTANT NOTICE
================
How to submit the CSR to your commercial certificate authority and how
to generate SSL server certificate is beyond the scope of this
tutorial. Instructions will be provided by your commercial certificate
authority.
Section 2: Installing SSL certificate in Virtualmin/Webmin
==========================================================
Login to Virtualmin.
Click Server Configuration > SSL Certificate
# cd /root/teo-en-ming-6dec2021
# nano 2022.crt
Paste the SSL certificate generated by your commercial certificate
authority as below.
-----BEGIN CERTIFICATE-----
Blah blah blah
-----END CERTIFICATE-----
Displaying the contents of the secret key.
# cat 2022.key
-----BEGIN PRIVATE KEY-----
Blah blah blah
-----END PRIVATE KEY-----
# cd /root/teo-en-ming-6dec2021/
# cp 2022.* /home/teo-en-ming-corp
Click Server Configuration > SSL Certificate > Update Certificate and Key
New certificate details
=========================
Signed SSL certificate:
Click File on server: /home/teo-en-ming-corp/2022.crt
Matching private key:
File on server: /home/teo-en-ming-corp/2022.key
Private key password: Click "None needed"
Click "Install Now"
Section 3: Installing SSL Certificate on Apache Web Server
===========================================================
After you have performed the steps in Section 2 above, the SSL
certificate for Apache web server will be also renewed automatically
as well.
Section 4: Installing SSL Certificate on Dovecot IMAP and POP3
Incoming Mail Server
====================================================================================
# cat /home/teo-en-ming-corp/intermediate_domain_ca.crt
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZ
Uw==
-----END CERTIFICATE-----
# cd /etc/dovecot
# cp dovecot.conf dovecot.conf.6dec2021
# nano dovecot.conf
local_name teo-en-ming-corp.com {
ssl_cert = </home/teo-en-ming-corp/2022.crt
ssl_key = </home/teo-en-ming-corp/2022.key
ssl_ca = </home/teo-en-ming-corp/intermediate_domain_ca.crt
}
local_name www.teo-en-ming-corp.com {
ssl_cert = </home/teo-en-ming-corp/2022.crt
ssl_key = </home/teo-en-ming-corp/2022.key
ssl_ca = </home/teo-en-ming-corp/intermediate_domain_ca.crt
}
local_name autoconfig.teo-en-ming-corp.com {
ssl_cert = </home/teo-en-ming-corp/2022.crt
ssl_key = </home/teo-en-ming-corp/2022.key
ssl_ca = </home/teo-en-ming-corp/intermediate_domain_ca.crt
}
local_name autodiscover.teo-en-ming-corp.com {
ssl_cert = </home/teo-en-ming-corp/2022.crt
ssl_key = </home/teo-en-ming-corp/2022.key
ssl_ca = </home/teo-en-ming-corp/intermediate_domain_ca.crt
}
Restart Dovecot.
# service dovecot restart
Section 5: Verifying SSL Certificate on Dovecot IMAP Server
============================================================
Reference Guide: How to verify that SSL for IMAP/POP3/SMTP works and a
proper SSL certificate is in use
Link:
https://support.plesk.com/hc/en-us/articles/213961665-How-to-verify-that-SSL-for-IMAP-POP3-SMTP-works-and-a-proper-SSL-certificate-is-in-use
[1] https://www.sslshopper.com/ssl-checker.html#hostname=smtp.gmail.com:465
[2] https://ssl-tools.net/mailservers
[3] IMAPS test: openssl s_client -showcerts -connect
mail.teo-en-ming-corp.com:993 -servername mail.teo-en-ming-corp.com
[tested command]
[4] POP3S test: openssl s_client -showcerts -connect
mail.teo-en-ming-corp.com:995 -servername mail.teo-en-ming-corp.com
[tested command]
[5] https://www.sslshopper.com/certificate-decoder.html <=== use this
link to decode your base64 SSL certificate after running Linux command
[3] and [4] above
Section 6: Installing SSL Certificate on Postfix SMTP Server
============================================================
# cd /root/teo-en-ming-6dec2021/
# cp 2022.* /etc/postfix/
# nano /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/2022.crt
smtpd_tls_key_file = /etc/postfix/2022.key
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache
smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
# nano /etc/postfix/master.cf
submission inet n – n – – smtpd
smtps inet n – n – – smtpd
Firewall Rules you need in /etc/sysconfig/iptables
===================================================
-A INPUT ! -i lo -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state –state NEW -m tcp –dport 25 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state –state NEW -m tcp –dport 465 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state –state NEW -m tcp –dport 465 -j ACCEPT
-A INPUT ! -i lo -p tcp -m state –state NEW -m tcp –dport 587 -j ACCEPT
-A OUTPUT ! -o lo -p tcp -m state –state NEW -m tcp –dport 587 -j ACCEPT
[Untested] troubleshooting commands
===================================
openssl s_client -connect mail.teo-en-ming-corp.com:25 -servername
mail.teo-en-ming-corp.com -starttls smtp
openssl s_client -connect mail.teo-en-ming-corp.com:465 -servername
mail.teo-en-ming-corp.com -starttls smtp
openssl s_client -connect mail.teo-en-ming-corp.com:587 -servername
mail.teo-en-ming-corp.com -starttls smtp
openssl s_client -connect example.com:[port] -servername example.com
Restart Postfix.
# service postfix restart
Section 7: Verifying SSL Certificate on Postfix SMTP Server
============================================================
[1] SMTPS test: openssl s_client -showcerts -connect
mail.teo-en-ming-corp.com:465 -servername mail.teo-en-ming-corp.com
[tested command]
[2] SMTPS test: openssl s_client -starttls smtp -showcerts -connect
mail.teo-en-ming-corp.com:587 -servername mail.teo-en-ming-corp.com
[tested command]
[3] https://www.sslshopper.com/certificate-decoder.html <=== use this
link to decode your base64 SSL certificate after running Linux command
[1] and [2] above
Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 6 Dec 2021, is
a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with
a Systems Integrator (SI)/computer firm in Singapore. He is an IT
enthusiast.
-----BEGIN EMAIL SIGNATURE-----
The Gospel for all Targeted Individuals (TIs):
[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers
Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html
********************************************************************************************
Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's
Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts
at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan
(5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):
[1] https://tdtemcerts.wordpress.com/
[2] https://tdtemcerts.blogspot.sg/
[3] https://www.scribd.com/user/270125049/Teo-En-Ming
-----END EMAIL SIGNATURE-----
