[Web-cyradm] creating TLS/SSL certificate

Mikko Toivola mikko.cwa at pikkasenkuti.com
Thu Nov 29 07:58:57 CET 2007 

Hi.

Of course official certificate is always better, if you plan to offer  
services more widely than inside the company etc. Otherwise it  
doesn't give any extra security to have your certificate signed by a  
"trusted" party. You trust yourself, don't you ;)? Certificates  
expire after the date you set them expire. In the example copied from  
the HOWTO, they expire after 999 days (~3 years). I usually set the  
expire to 3650, got tired creating new certificates. Using the same  
self signed root-certificate to sign actual certificates (imaps,  
https) keeps it simple and clear.

w/regards,

  Mikko Toivola


On 27.11.2007, at 7:56, jekillen wrote:

> regarding the following text from
>
> Postfix-Cyrus-Web-cyradm-HOWTO
>
> Creating the TLS/SSL Certificate
>
> If you want to enable Cyrus' TLS/SSL facilities, you have to create  
> a certificate first. This requires an OpenSSL installation
>
> openssl req -new -nodes -out req.pem -keyout key.pem
> openssl rsa -in key.pem -out new.key.pem
> openssl x509 -in req.pem -out ca-cert -req \
> -signkey new.key.pem -days 999
>
> mkdir /var/imap
>
> cp new.key.pem /var/imap/server.pem
> rm new.key.pem
> cat ca-cert >> /var/imap/server.pem
>
> chown cyrus:mail /var/imap/server.pem
> chmod 600 /var/imap/server.pem # Your key should be protected
>
> echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf
> echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf
> echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf
>
> Would it not be more appropriate and credible to get an
> official certificate, or use one that already is in effect for
> other ssl related network activity; E.G. https?
>
> I have created certificates for Apache for testing ssl
> connections.  But these expire after a year and are
> not recognized by commercial web and e-mail software
> ( an why would they? It would defeat the purpose).
>
> Thanks
> Jeff K
>
> _______________________________________________
> This mailing list is hosted and supported
> by bit-heads GmbH | http://www.bit-heads.ch
>
> _______________________________________________
> Web-cyradm mailing list
> Web-cyradm at web-cyradm.org
> http://www.web-cyradm.org/mailman/listinfo/web-cyradm

More information about the Web-cyradm mailing list