Open with table of contents

Create a self-signed TLS certificate

If you do not want to purchase a digital certificate from a third-party certificate authority (CA), or if you want to use digital signing immediately, you can create your own self-signed certificate.

  Self-signed certificates are not recommended for production use.

Before you begin

Follow the instructions to Create a TLS private key and Certificate Signing Request (CSR).

Once you have done that, you will have the following two files in the /root directory of the Email Gateway :

File name Description
emailgateway.key Your private key.
emailgateway.csr Your Certificate Signing Request.

Self-sign the certificate

  1. Connect to the Email Gateway using SSH
    1. Enable network access for your computer to the Email Gateway using SSH (Secure Shell).
    2. From your computer, connect to the Email Gateway using an SSH utility such as PuTTY for Windows.
    3. At the login as prompt, type cs-admin.
    4. At the password prompt, type the cs-admin password that you created during the initial Email Gateway setup.

      The default cs-admin password is password.

    5. On the Clearswift Server Console menu, select Open Terminal Session, and then press OK.
    6. Re-enter your cs-admin password at the password prompt.
    7. At the $ prompt, type the following command:

      sudo su -

      Once you re-enter your cs-admin password at the password prompt, you can now enter commands with root privileges.

  2. Create a Certificate Authority (CA) on the Email Gateway.
    1. At the # prompt, create a subdirectory /tmp/CA by typing the following command:

      mkdir /tmp/CA

    2. Switch to the /tmp/CA subdirectory:

      cd /tmp/CA

    3. Use the OpenSSL utility to create the CA's private key:

      openssl genrsa -out CA.key 4096

    4. Create the CA's signing certificate:

      openssl req -new -key CA.key -x509 -days 1095 -out CA.crt -sha256

      This command will prompt for the following X.509 attributes of the signing certificate:

    5. List the files in the current directory (type ls) to confirm that the signing certificate (CA.crt) and CA private key (CA.key) files are present in the /tmp/CA directory.

      If the files are present, you have successfully created a Certificate Authority on the Email Gateway.

  3. Self-sign the TLS certificate

    You can now self-sign your TLS certificate by using the Email Gateway CA to authorize the TLS Certificate Signing Request (CSR) that you previously created.

    1. Copy the CSR file emailgateway.csr to the /tmp/CA directory by typing the following command:

      cp /root/emailgateway.csr .

    2. Type ls to confirm that the CSR file emailgateway.csr is present in the /tmp/CA directory.
    3. Authorise the TLS Certificate Signing Request:

      openssl x509 -req -days 365 -in emailgateway.csr -CA CA.crt -CAkey CA.key -CAcreateserial -out emailgateway.crt

    4. List the files in the current directory (type ls) to confirm that the signed certificate file emailgateway.crt is present in the /tmp/CA directory.

When you have finished

You now have three TLS certificate and private key files that you can import into the Email Gateway using the web interface:

File name Description Directory
emailgateway.key Your private key. /root
emailgateway.crt The self-signed TLS certificate. /tmp/CA
CA.crt The Email Gateway CA's signing certificate /tmp/CA

Once you finish setting up your self-signed certificates, you can log out by typing logout twice. This returns you to the Clearswift Server Console menu, which you can exit by pressing Exit.

See also...

© 1995–2018 Clearswift Ltd.