If you have decided not to use Let's Encrypt and
certbot, use these instructions to create
your certificate(s) manually. Otherwise, this section can be
skipped.
On each Linux platform, there are different locations for private key files and local server certificates. To simplify the examples, we define environment variables referring to them. See Example 9.5, “PKI directories (Debian/Ubuntu)” and Example 9.6, “PKI directories (Fedora/RHEL/CentOS)”.
On the server, create an RSA key pair and a certificate signing request (CSR) as demonstrated in Example 9.7, “Creating RSA key pair and CSR”.
Example 9.5. PKI directories (Debian/Ubuntu)
$ PKI_HOME=/etc/ssl
$ PRIVATE_KEY_DIR=${PKI_HOME}/private
$ CERT_DIR=${PKI_HOME}/public
$ CSR_DIR=${PKI_HOME}/csr
Example 9.6. PKI directories (Fedora/RHEL/CentOS)
$ PKI_HOME=/etc/pki/tls
$ PRIVATE_KEY_DIR=${PKI_HOME}/private
$ CERT_DIR=${PKI_HOME}/certs
$ CSR_DIR=${PKI_HOME}/csr
Example 9.7. Creating RSA key pair and CSR
$ MY_DOMAIN=example.org
$ sudo mkdir -p $PRIVATE_KEY_DIR
$ PRIVATE_KEY_PEM=${PRIVATE_KEY_DIR}/${MY_DOMAIN}-key.pem
$ CSR_PEM=${CSR_DIR}/${MY_DOMAIN}-csr.pem
$ sudo openssl genrsa -out ${PRIVATE_KEY_PEM} 2048
$ sudo chmod 0640 ${PRIVATE_KEY_PEM}
$ sudo chgrp ssl-cert ${PRIVATE_KEY_PEM}
$ sudo mkdir -p ${CSR_DIR} ${CERT_DIR}
$ sudo openssl req -new \
-key ${PRIVATE_KEY_PEM} \
-out ${CSR_PEM} \
-subj "/CN=${MY_DOMAIN}"
$ sudo cat ${CSR_PEM}
Your CA will ask you to copy the CSR text and paste it into a
form on their web site. The CA will now issue a certificate; it may
be displayed in the browser or sent to you by email. Copy and paste
it into the server after the cat command in
Example 9.8, “Installing the certificate”, pressing
CTRL-D or typing EOF to finish.
If the CA provides an intermediate certificate, you must also append it to the certificate file. The certificate file should contain the certificate for your domain, following by each intermediate certificate in order up to but not including the root.
Example 9.8. Installing the certificate
$ sudo cat > /etc/ssl/public/${MY_DOMAIN}.pem << EOF
-----BEGIN CERTIFICATE-----
MIIHWTCCBUGgAwIBAgIDCkGKMA0GCSqGSIb3DQEBCwUAMHkxEDAOBgNVBAoTB1Jv
b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
.
.
.
d+pLncdBu8fA46A/5H2kjXPmEkvfoXNzczqA6NXLji/L6hOn1kGLrPo8idck9U60
4GGSt/M3mMS+lqO3ig==
-----END CERTIFICATE-----
EOF
The certificate is now ready for use by both the SIP and XMPP servers. It can also be used to secure a web server, SMTP server or any other application.