Generating user certificates with openssl
Posted by Ondrej Vanek, Last modified by Ondrej Vanek on 11 December 2015 08:32 AM

Following article is about generating user certificates for signing or encryption emails of user on your mail server. If you will create your own CA authority, you can import them to users web browser and use as dual authentication for connection to users accounts, thats actually the most secure way how to use IceWarp Server. On windows based system download the binaries and run openssl.exe. On linux check if you are using the latest openssl version.

1. step is to generate private key and CSR, -des3 command is for password encryption, you will be asked for the password each time you will work with the %username%.key, e.g. exporting singned certificate to pkcs12 format or importing to users account or browser.

openssl> genrsa -des3 -out %username%.key 2048 -aes-256-cbc

openssl> req -new -key %username%.key -out %username%.csr

while generating the CSR, you will be asked for various things, most important must match with reality:

Common Name (eg, YOUR name) []: full name

Email Address []: email@address


2.create v3.ext file which could contain following text (search google for more info):

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

3.Now sign the CSR with your CA authority created in this article

openssl> x509 -req -days 1024 -in %username%.csr -extfile v3.ext -CA
rootCA.pem -CAkey rootCA.key
-CAcreateserial -out %username%.crt -setalias
"%Username%'s E-Mail Certificate" -addtrust emailProtection
-addreject clientAuth -addreject serverAuth -trustout

4.Now export the cert into pkcs12 form

openssl> pkcs12 -export -in %username%.crt -inkey %username%.key
 -out %username%.p12 -name "%username% pkcs12"

5.Now you can provide(secured way!) %username%.p12 file encrypted with password to the user, he can upload the p12 certificate in webclient into vcard -mydetails>certificates and options>accounts>private certificates for email signing and encryption. If you have enabled dual auth for webclient, you have to import the certificate into your browser --settings/certificates/your certificates import (depends on browser).


for more info about generating trusted certificates read following article


                                                                                                              © o.vanek

(2 vote(s))
Not helpful

Comments (0)