Install a TLS certificate manually

If you have decided not to use Let's Encrypt and certbot, use these instructions to create your certificate(s) manually. Otherwise, this section can be skipped.

On each Linux platform, there are different locations for private key files and local server certificates. To simplify the examples, we define environment variables referring to them. See Example 9.5, “PKI directories (Debian/Ubuntu)” and Example 9.6, “PKI directories (Fedora/RHEL/CentOS)”.

On the server, create an RSA key pair and a certificate signing request (CSR) as demonstrated in Example 9.7, “Creating RSA key pair and CSR”.

Example 9.5. PKI directories (Debian/Ubuntu)

$ PKI_HOME=/etc/ssl
$ CERT_DIR=${PKI_HOME}/public

Example 9.6. PKI directories (Fedora/RHEL/CentOS)

$ PKI_HOME=/etc/pki/tls
$ CERT_DIR=${PKI_HOME}/certs

Example 9.7. Creating RSA key pair and CSR

$ sudo mkdir -p $PRIVATE_KEY_DIR
$ CSR_PEM=${CSR_DIR}/${MY_DOMAIN}-csr.pem
$ sudo openssl genrsa -out ${PRIVATE_KEY_PEM} 2048
$ sudo chmod 0640 ${PRIVATE_KEY_PEM}
$ sudo chgrp ssl-cert ${PRIVATE_KEY_PEM}
$ sudo mkdir -p ${CSR_DIR} ${CERT_DIR}
$ sudo openssl req -new \
          -key ${PRIVATE_KEY_PEM} \
          -out ${CSR_PEM} \
          -subj "/CN=${MY_DOMAIN}"
$ sudo cat ${CSR_PEM} 

Your CA will ask you to copy the CSR text and paste it into a form on their web site. The CA will now issue a certificate; it may be displayed in the browser or sent to you by email. Copy and paste it into the server after the cat command in Example 9.8, “Installing the certificate”, pressing CTRL-D or typing EOF to finish.

If the CA provides an intermediate certificate, you must also append it to the certificate file. The certificate file should contain the certificate for your domain, following by each intermediate certificate in order up to but not including the root.

Example 9.8. Installing the certificate

$ sudo cat > /etc/ssl/public/${MY_DOMAIN}.pem << EOF

The certificate is now ready for use by both the SIP and XMPP servers. It can also be used to secure a web server, SMTP server or any other application.