HOWTO: enable SSL (Secure Socket Layer) with Open Webmail (and your Web Site)
=============================================================================
by Thomas Chung (tchung AT openwebmail.org)
Last Updated: 2003-02-03

References:
RH71 Reference Guide (p167)
RH73 Customizaton Guide (p136-p140)


1) make sure you have mod_ssl and openssl installed in your redhat box

# rpm -q mod_ssl openssl (from RH73)
mod_ssl-2.8.12-2
openssl-0.9.6b-28

2) go to httpd config directory

# cd /etc/httpd/conf

3) remove the fake key and certificate that were generated during the installation with following command.

# rm ssl.key/server.key
# rm ssl.crt/server.crt

4) use following command to create your own key

# /usr/bin/openssl genrsa 1024 > /etc/httpd/conf/ssl.key/server.key

Generating RSA private key, 1024 bit long modulus
.................................++++++
..++++++
e is 65537 (0x10001)

5) use following command to make sure the permissions are set correctly on your key.

# chmod 600 /etc/httpd/conf/ssl.key/server.key


6) use following command to create a self-signed certicate 

# make testcert
 
You will see something similar to following and you will need to answer several questions

	[root@www conf]# make testcert
	umask 77 ; \
	/usr/bin/openssl req -new -key /etc/httpd/conf/ssl.key/server.key -x509 -days 365 -out /etc/httpd/conf/ssl.crt/server.crt
	Using configuration from /usr/share/ssl/openssl.cnf
	You are about to be asked to enter information that will be incorporated
	into your certificate request.
	What you are about to enter is what is called a Distinguished Name or a DN.
	There are quite a few fields but you can leave some blank
	For some fields there will be a default value,
	If you enter '.', the field will be left blank.
	-----
	Country Name (2 letter code) [AU]:US
	State or Province Name (full name) [Some-State]:California
	Locality Name (eg, city) []:Pasadena
	Organization Name (eg, company) [Internet Widgits Pty Ltd]:Open Webmail Project
	Organizational Unit Name (eg, section) []:Thomas Chung
	Common Name (eg, your name or your server's hostname) []:openwebmail.org
	Email Address []:tchung@openwebmail.org
	[root@www conf]# 

7) Use following command to restart web server

# service httpd restart


8) Test your certicate from your browser

   https://<your-hostname>/cgi-bin/openwebmail/openwebmail.pl

9) You will see something similar to following

  +----------------------------------------------------------+  
  |  Website Certified by an Unknown Authority               |
  |                                                          |
  |  There is a problem with the certificate that identifies |
  |   "<your-hostname>". Do you want to continue?            |
  |                                                          |
  |  The certificate was issued by a certificate authority   |
  |  that Mozilla does not recognize                         |
  |                                                          |
  |  [ View Certificate ]                                    |
  |                                                          |
  |  [ ] Remember this certificate permanently               |
  |                                                          |
  |  [ Continue ] [ Cancel ] [ Help ]                        |
  +----------------------------------------------------------+

    You can either just click on [ Continue ] button or 
    check on the box for "Remember..." then click on [ Continue ] button 
    to avoid this message in the future ( for about a year)