For When You Can't Have The Real Thing
[ start | index | login ]
start > cyrus > imap > private ssl

private ssl

Created by dave. Last edited by dave, 18 years and 60 days ago. Viewed 2,899 times. #2
[diff] [history] [edit] [rdf]

Updating Expired Private SSL Certs

Odds are you don't have a "real" ssl cert to encrypt your IMAP mail sessions. This is fine; it means that your sessions are still encrypted, but "anal" clients like Outlook will get their panties in a bunch because your cert is not "blessed". (Note that Outlook will still work fine; however it will complain about the cert's lack of legitimacy every time you try to connect to the server.)

I installed the cyrus-imapd that came with Fedora Core 3. As part of that installation, it (or something it depends on) made me a nice private certificate.

Eventually your fake cert will expire and you'd like to generate a new one.

Here is what I did:

# openssl req -new -nodes -out req.pem -keyout key.pem
# openssl rsa -in key.pem -out new.key.pem
# openssl x509 -in req.pem -out ca-cert -req -signkey new.key.pem -days 999
# cp new.key.pem xdroop.pem
# cat ca-cert >> xdroop.pem
# mv xdroop.pem /usr/share/ssl/certs

Then I edited /etc/impad so that all three TLS fields pointed at the new cert:

tls_cert_file: /usr/share/ssl/certs/xdroop.pem
tls_key_file: /usr/share/ssl/certs/xdroop.pem
tls_ca_file: /usr/share/ssl/certs/xdroop.pem

Mutt accepted the new certificate without complaint.

Buying and installing a "real" ssl cert is left as an exercise to the reader.


no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful: | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt