OpenSSL Guide for the Sophos Email Appliance
Introduction
Part 1 - Creating an FTP server
Part 2 - Installing UNIX
Part 3 - About SSL Formats and Conversions
Part 4 - Assembling the Certificate
Part 5 - Uploading the certificate to the appliance
If you arelady have a Linux/UNIX system to work with skip to Part 3
Introduction
Considerations:
The default format for the appliance is PEM format. PEM certificates generally
end in .pem, .crt, .cerm and .key files. You can tell if your cert is in this format
with the - - - -BEGIN CERTIFICATE - - - - headers, they contain normal upper and
lower case characters and have 3 main parts.
#1 the private key
#2 CA key
#3 Intermediate CA's
other formats include DER, P7B, PKCS#12 if you receive keys in any of these formats you will
need to either have your CA issue the certificate in PEM format, or you will need to convert
them to PEM.
Please note there are services that will convert your keys from one format to another, but
consider this... In order to convert keys you WILL be required to provide your private key
so if you email it, its now floating around the internet or give it to another company.
It is NOT recommend that you provide your private key to anyone and or send it across
the internet in any format.
So what now? well the answer is fairly easy if you can not get them in the correct format
and absolutely need to convert them manually, your best choice is to install a UNIX flavor
and do it your self.
Step #1: Create an FTP server
create an FTP server that is accessible on the network and upload your key files there.
make sure your user account is able to read and write to the server.
Step #2: Installing OpenBSD
From windows :
select start / run / cmd
c:\Users\Red_warrior> cd Desktop
c:\Users\red_Warrior\Desktop>ftp
ftp>open ftp.openbsd.org
Connected to openbsd.sunsite.ualberta.ca
220 openbsd.srv.ualberta.ca FTP server ready.
User <openbsd.sunsite.ualberta.ca:(none>>: anonymous
331 Guest login ok, send your email address as password.
Password: my@email.com
230- Welcome to ftp.openbsd.org at the University of Alberta
230- in Edmonton, Alberta, Canada.
230- For other mirror sites visit http://www.openbsd.org/ftp.html
230-
230- _____ ____ _____ _____
230- / ___ \ | _ \ / ____| __ \
230- / / / /___ ___ ____ | |_) | (___ | | | |
230- / / / / __ \/ _ \/ __ \| _ < \___ \| | | |
230- / /__/ / /_/ / __/ / / /| |_) |____) | |__| |
230- \_____/ .___/\___/_/ /_/ |____/|_____/|_____/
230- /_/
230- | . The proactively secure Unix-like
230- . |L /| . Operating System.
230- _ . |\ _| \--+._/| . Please visit the OpenBSD web site
230- / ||\| Y J ) / |/| ./ at http://www.openbsd.org/
230- J |)'( | ` F`.'/
230- -<| F __ .-< All transfers are logged, if you don't
230- | / .-'. `. /-. L___ like this policy, disconnect now!
230- J \ < \ | | O\|.-'
230- _J \ .- \/ O | | \ |F
230- '-F -<_. \ .-' `-' L__ OpenBSD is available for order!
230- __J _ _. >-' )._. |-' You can order OpenBSD CD's from
230- `-|.' /_. \_| F http://www.openbsd.org/orders.html.
230- /.- . _.< CD sales are very important to support
230- /' /.' .' `\ the continued development of the project.
230- /L /' |/ _.-'-\
230- /'J ___.---'\|
230- |\ .--' V | `. `
230- |/`. `-. `._)
230- / .-.\
230- VK \ ( `\
230- `.\
230-
230- *DO NOT* mirror openbsd from this site! use one of the
230- "second level mirrors" listed at http://www.openbsd.org/ftp.html
230- instead of this site. If you mirror from this site you will lose
230- access to it.
230-
230- E-mail comments, questions, trouble reports, and complaints
230- to beck@openbsd.org. Please drive safely.
230-
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd pub/OpenBSD/5.5/amd64
ftp> get install55.iso
local: install55.iso remote: install55.iso
229 Entering Extended Passive Mode (|||60917|)
150 Opening BINARY mode data connection for 'install55.iso' (248283136 bytes).
0% | | 1070 KiB 534.70 KiB/s 07:31
ftp> bye
NOTE: OpenBSD is a NON-PROFIT project.. Please log into www.openbsd.org and support the project
with a direct donation. I'm not advertising for them but they deserve the cash if your going to
use their OS to convert your certs :)
The ISO file will now be on your desktop, you can either burn the ISO to a cd and install
on a real computer, or create a VM with VMware and install to a local machine
In order to install OpenBSD you will need.
1 processor with 1 core
256 megs of ram
2 gigs of hard drive space
then select the install55.iso and fire up the operating system
The boot up sequence will start and you will eventually see:
Welcome to the OpenBSD/i386 5.5 installation program.
(I)nstall, (U)pgrade, (A)utoinstall or (S)hell?
select I to install
At any prompt except password prompts you can escape to a shell by
typing '!'. Default answers are shown in []'s and are selected by
pressing RETURN. You can exit this program at any time by pressing
Control-C, but this can leave your system in an inconsistent state.
Choose your keyboard layout ('?' or 'L' for list) [default] Enter
System hostname? (short form, e.g. 'foo') XXXXXXXX
Available network interfaces are: fxp0 vlan0.
Which one do you wish to configure? (or 'done') [fxp0] Enter
IPv4 address for fxp0? (or 'dhcp' or 'none') [dhcp] Enter
Issuing hostname-associated DHCP request for fxp0.
DHCPDISCOVER on fxp0 to 255.255.255.255 port 67 interval 1
DHCPOFFER from 192.168.1.250 (08:00:20:94:0b:c8)
DHCPREQUEST on fxp0 to 255.255.255.255 port 67
DHCPACK from 192.168.1.250 (08:00:20:94:0b:c8)
bound to 192.168.1.199 -- renewal in 43200 seconds.
IPv6 address for fxp0? (or 'rtsol' or 'none') [none] Enter
Available network interfaces are: fxp0 vlan0.
Which one do you wish to configure? (or 'done') [done] Enter
Using DNS domainname example.org
Using DNS nameservers at 192.168.1.252
Password for root account? (will not echo) PaSsWoRd
Password for root account? (again) PaSsWoRd
Start sshd(8) by default? [yes] Enter
Start ntpd(8) by default? [no] Enter
Do you expect to run the X Window System? [yes] Enter
Do you want the X Window System to be started by xdm(1)? [no] Enter
Change the default console to com0? [no] Enter
Setup a user? (enter a lower-case loginname, or 'no') [no] Enter
What timezone are you in? ('?' for list) [Canada/Pacific] Enter
Available disks are: wd0.
Which one is the root disk? (or 'done') [wd0] Enter
Use DUIDs rather than device names in fstab? [yes] Enter
Disk: wd0 geometry: 5168/240/63 [78140160 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 00 0 1 1 - 5167 239 63 [ 0: 78140097 ] NTFS
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
3: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
Use (W)hole disk or (E)dit the MBR? [whole] Enter
Setting OpenBSD MBR partition to whole wd0...done.
Setting OpenBSD MBR partition to whole wd0...done.
The auto-allocated layout for wd0 is:
# size offset fstype [fsize bsize cpg]
a: 1024.0M 64 4.2BSD 2048 16384 1 # /
b: 199.0M 2097216 swap
c: 40960.0M 0 unused
d: 2822.9M 2504768 4.2BSD 2048 16384 1 # /tmp
e: 4295.0M 8286112 4.2BSD 2048 16384 1 # /var
f: 2048.0M 17082240 4.2BSD 2048 16384 1 # /usr
g: 1024.0M 21276544 4.2BSD 2048 16384 1 # /usr/X11R6
h: 5426.7M 23373696 4.2BSD 2048 16384 1 # /usr/local
i: 1699.7M 34487520 4.2BSD 2048 16384 1 # /usr/src
j: 2048.0M 37968576 4.2BSD 2048 16384 1 # /usr/obj
k: 20367.4M 42162880 4.2BSD 2048 16384 1 # /home
Use (A)uto layout, (E)dit auto layout, or create (C)ustom layout? [a] Enter
/dev/rwd0a: 1024.0MB in 2097152 sectors of 512 bytes
6 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/rwd0k: 20367.4MB in 41712448 sectors of 512 bytes
101 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/rwd0d: 2822.9MB in 5781344 sectors of 512 bytes
14 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/rwd0f: 2048.0MB in 4194304 sectors of 512 bytes
11 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/rwd0g: 1024.0MB in 2097152 sectors of 512 bytes
6 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/rwd0h: 5426.7MB in 11113824 sectors of 512 bytes
27 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/rwd0j: 2048.0MB in 4194304 sectors of 512 bytes
11 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/rwd0i: 1699.7MB in 3481056 sectors of 512 bytes
9 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/rwd0e: 4295.0MB in 8796128 sectors of 512 bytes
22 cylinder groups of 202.47MB, 12958 blocks, 25984 inodes each
/dev/wd0a (c109be3ad535b626.a) on /mnt type ffs (rw, asynchronous, local)
/dev/wd0k (c109be3ad535b626.k) on /mnt/home type ffs (rw, asynchronous, local, n
odev, nosuid)
/dev/wd0d (c109be3ad535b626.d) on /mnt/tmp type ffs (rw, asynchronous, local, no
dev, nosuid)
/dev/wd0f (c109be3ad535b626.f) on /mnt/usr type ffs (rw, asynchronous, local, no
dev)
/dev/wd0g (c109be3ad535b626.g) on /mnt/usr/X11R6 type ffs (rw, asynchronous, loc
al, nodev)
/dev/wd0h (c109be3ad535b626.h) on /mnt/usr/local type ffs (rw, asynchronous, loc
al, nodev)
/dev/wd0j (c109be3ad535b626.j) on /mnt/usr/obj type ffs (rw, asynchronous, local
, nodev, nosuid)
/dev/wd0i (c109be3ad535b626.i) on /mnt/usr/src type ffs (rw, asynchronous, local
, nodev, nosuid)
/dev/wd0e (c109be3ad535b626.e) on /mnt/var type ffs (rw, asynchronous, local, no
dev, nosuid)
Location of sets? (cd disk ftp http or 'done') [cd] Enter
Select sets by entering a set name, a file name pattern or 'all'. De-select
sets by prepending a '-' to the set name, file name pattern or 'all'. Selected
sets are labelled '[X]'.
[X] bsd [X] etc55.tgz [X] xbase55.tgz [X] xserv55.tgz
[X] bsd.rd [X] comp55.tgz [X] xetc55.tgz
[ ] bsd.mp [X] man55.tgz [X] xshare55.tgz
[X] base55.tgz [X] game55.tgz [X] xfont55.tgz
Set name(s)? (or 'abort' or 'done') [done] Enter
Get/Verify SHA256.sig 100% |**************************| 2329 00:01
Get/Verify bsd 100% |**************************| 10263 KB 00:05
Get/Verify bsd.rd 100% |**************************| 6349 KB 00:03
Get/Verify base55.tgz 100% |**************************| 58796 KB 00:26
Get/Verify etc55.tgz 100% |**************************| 513 KB 00:00
Get/Verify comp55.tgz 100% |**************************| 48489 KB 00:28
Get/Verify man55.tgz 100% |**************************| 9836 KB 00:06
Get/Verify game55.tgz 100% |**************************| 2643 KB 00:02
Get/Verify xbase55.tgz 100% |**************************| 12565 KB 00:06
Get/Verify xetc55.tgz 100% |**************************| 64910 00:00
Get/Verify xshare55.tgz 100% |**************************| 4300 KB 00:04
Get/Verify xfont55.tgz 100% |**************************| 38994 KB 00:17
Get/Verify xserv55.tgz 100% |**************************| 23534 KB 00:15
Installing bsd 100% |**************************| 10263 KB 00:00
Installing bsd.rd 100% |**************************| 6349 KB 00:00
Installing base55.tgz 100% |**************************| 58796 KB 00:22
Installing etc55.tgz 100% |**************************| 513 KB 00:00
Installing comp55.tgz 100% |**************************| 48489 KB 00:17
Installing man55.tgz 100% |**************************| 9836 KB 00:06
Installing game55.tgz 100% |**************************| 2643 KB 00:00
Installing xbase55.tgz 100% |**************************| 12565 KB 00:03
Installing xetc55.tgz 100% |**************************| 64910 00:00
Installing xshare55.tgz 100% |**************************| 4300 KB 00:05
Installing xfont55.tgz 100% |**************************| 38994 KB 00:10
Installing xserv55.tgz 100% |**************************| 23534 KB 00:06
Location of sets? (cd disk ftp http or 'done') [done] Enter
Saving configuration files...done.
Generating initial host.random file...done.
Making all device nodes...done.
CONGRATULATIONS! Your OpenBSD install has been successfully completed!
To boot the new system, enter 'reboot' at the command prompt.
When you login to your new system the first time, please read your mail
using the 'mail' command.
#
Type reboot
The system will power down and reboot it will detect hardware and generate ssl keys and finish
with
OpenBSD/amd64 (sea.home.lan) (ttyc))
login:
login username root
password PaSsWoRd
Congratulations have installed and logged into your new UNIX machine
before we can continue there are a couple of things we should install to make life
a little better..
This thread was automatically locked due to age.