Until now I’ve relied upon the private keys that were already installed when I got my VPS. This, of course, is insecure since they might have been compromised, meaning, nobody knows where that private key came from.
So I decided it was time to create some keys of my own. Here’s the procedure. First, let’s create some private space in our home folder for extra security:
Next, create a secure private key, make sure you give it a good strong pass phrase and don’t forget it:
Now we derive a key from the secure key, but this time we don’t use a pass phrase:
The next step we know: create a Certificate Signing Request. CACert.org only cares about the CommonName so the other fields can be ignored. When asked to enter [YOUR name] you enter the name of your host, ie. example.com:
As before, copy paste this server.csr into cacert.org’s form, wait, and copy-paste the result from cacert into a new file called server.pem. I’ve moved the (insecure) server.key and the final server.pem into etc/ssl/private/ and etc/ssl/certs/ respectively. Make sure only root has read access for server.key!
Last step: reconfigure Webmin, Apache and Dovecot to use the new key and certificate. And Postfix.