[Web-cyradm] creating TLS/SSL certificate
jekillen
jekillen at prodigy.net
Fri Nov 30 01:53:58 CET 2007
On Nov 28, 2007, at 10:58 PM, Mikko Toivola wrote:
> Hi.
>
> Of course official certificate is always better, if you plan to offer
> services more widely than inside the company etc. Otherwise it doesn't
> give any extra security to have your certificate signed by a "trusted"
> party. You trust yourself, don't you ;)? Certificates expire after the
> date you set them expire. In the example copied from the HOWTO, they
> expire after 999 days (~3 years). I usually set the expire to 3650,
> got tired creating new certificates. Using the same self signed
> root-certificate to sign actual certificates (imaps, https) keeps it
> simple and clear.
>
> w/regards,
>
> Mikko Toivola
Now that you mention it, there was something about ssl not supported
and the interface was intended to be use at and on localhost
if I understand correctly, So a formal cert would be like a gold plated
door knob on the inside of your closet door. But I have other
reasons to have a formal cert. But this I can do to get up and running.
All of this software is a significant bundle for me, so as I
learn by doing I do not want to do too much at once and get lost.
Thanks for the response.
Jeff K
>
>
> On 27.11.2007, at 7:56, jekillen wrote:
>
>> regarding the following text from
>>
>> Postfix-Cyrus-Web-cyradm-HOWTO
>>
>> Creating the TLS/SSL Certificate
>>
>> If you want to enable Cyrus' TLS/SSL facilities, you have to create a
>> certificate first. This requires an OpenSSL installation
>>
>> openssl req -new -nodes -out req.pem -keyout key.pem
>> openssl rsa -in key.pem -out new.key.pem
>> openssl x509 -in req.pem -out ca-cert -req \
>> -signkey new.key.pem -days 999
>>
>> mkdir /var/imap
>>
>> cp new.key.pem /var/imap/server.pem
>> rm new.key.pem
>> cat ca-cert >> /var/imap/server.pem
>>
>> chown cyrus:mail /var/imap/server.pem
>> chmod 600 /var/imap/server.pem # Your key should be protected
>>
>> echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf
>> echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf
>> echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf
>>
>> Would it not be more appropriate and credible to get an
>> official certificate, or use one that already is in effect for
>> other ssl related network activity; E.G. https?
>>
>> I have created certificates for Apache for testing ssl
>> connections. But these expire after a year and are
>> not recognized by commercial web and e-mail software
>> ( an why would they? It would defeat the purpose).
>>
>> Thanks
>> Jeff K
More information about the Web-cyradm
mailing list