Generating Certificate for your Centos 8 Postfix Server

 # 1. generate a private key
[root@thermalite ~]# openssl genrsa -des3 -out thermalite.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
....................+++++
............+++++
e is 65537 (0x010001)
Enter pass phrase for thermalite.key:
Verifying - Enter pass phrase for thermalite.key:
[root@thermalite ~]#

# 2. generate a certicate sign request using the private key and output a certicate sign request (.csr)
[root@thermalite ~]# openssl req -new -key thermalite.key -out thermalite.csr
Enter pass phrase for thermalite.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:New Jersey
Locality Name (eg, city) [Default City]:Cherry Hill
Organization Name (eg, company) [Default Company Ltd]:O2bot LLC
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, your name or your server's hostname) []:thermalite
Email Address []:donot-reply@gmail.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 3. generate and actual certificate using the certicate sign request (.csr)
[root@thermalite ~]# openssl x509 -req -days 365 -in thermalite.csr -signkey thermalite.key -out thermalite.crt
Signature ok
subject=C = US, ST = New Jersey, L = Cherry Hill, O = O2bot LLC, OU = IT Department, CN = thermalite, emailAddress = donot-reply@gmail.com
Getting Private key
Enter pass phrase for thermalite.key:
[root@thermalite ~]#

# 4. generate a nopass
[root@thermalite ~]# openssl rsa -in thermalite.key -out thermalite.key.nopass
Enter pass phrase for thermalite.key:
writing RSA key
[root@thermalite ~]#

# 5. overwrite the private key with nopass
[root@thermalite ~]# mv thermalite.key.nopass thermalite.key
mv: overwrite 'thermalite.key'? y
[root@thermalite ~]#

# 6. creata a new certificate authority
[root@thermalite ~]# openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 365
Generating a RSA private key
.+++++
.......................................+++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:New Jersey
Locality Name (eg, city) [Default City]:Cherry Hill
Organization Name (eg, company) [Default Company Ltd]:O2bot LLC
Organizational Unit Name (eg, section) []:IT Department
Common Name (eg, your name or your server's hostname) []:thermalite
Email Address []:donot-reply@gmail.com

# 7. chmod all files
[root@thermalite ~]# chmod 600 thermalite.key cakey.pem

# 8. move to proper directories
[root@thermalite ~]# mv thermalite.crt /etc/ssl/certs/.
[root@thermalite ~]# mv cacert.pem /etc/ssl/certs/.
[root@thermalite ~]# update-ca-trust

[root@thermalite ~]# mkdir -p /etc/ssl/private
[root@thermalite ~]# mv thermalite.key /etc/ssl/private/.
[root@thermalite ~]# mv cakey.pem /etc/ssl/private/.