Until now I’ve relied upon the private keys that were already installed when I got my VPS. This, of course, is insecure since they might have been compromised, meaning, nobody knows where that private key came from.

So I decided it was time to create some keys of my own. Here’s the procedure. First, let’s create some private space in our home folder for extra security:

cd ~
mkdir private
chmod 600 private
cd private

Next, create a secure private key, make sure you give it a good strong pass phrase and don’t forget it:

openssl genrsa -des3 -out server.key.secure 1024

Now we derive a key from the secure key, but this time we don’t use a pass phrase:

openssl rsa -in server.key.secure -out server.key

The next step we know: create a Certificate Signing Request. CACert.org only cares about the CommonName so the other fields can be ignored. When asked to enter [YOUR name] you enter the name of your host, ie. example.com:

openssl req -new -key server.key -out server.csr
cat server.csr

As before, copy paste this server.csr into cacert.org’s form, wait, and copy-paste the result from cacert into a new file called server.pem. I’ve moved the (insecure) server.key and the final server.pem into etc/ssl/private/ and etc/ssl/certs/ respectively. Make sure only root has read access for server.key!

Last step: reconfigure Webmin, Apache and Dovecot to use the new key and certificate. And Postfix.