Randall Perry <[EMAIL PROTECTED]> wrote: > > Is there a FAQ showing how to do this? I tried about a year ago but gave up > do to lack of information.
I don't know if there's a FAQ, but there were these recent posts on the issue to the mailing list: | From: Kai Lanz <[EMAIL PROTECTED]> | Subject: UW imapd and InstantSSL certs | | | We currently run imapd-2002e and support SSL authentication using | a certificate from Verisign. That cert is about to expire, and we're | replacing it with certs from InstantSSL (much much cheaper). | | It was easy to prepare the Verisign certs for use with imapd -- just | concatenate the server private key and the host certificate into | a file called imapd.pem and stick that in /local/ssl/certs/: | | cat server.key pangea.crt > imapd.pem | | InstantSSL gives us *two* certificates: a host certificate and a CA | certificate, i.e. a Comodo intermediate certificate. Can the UW imapd | work with this certificate-plus-intermediate configuration? What do | I need to do to prepare our new imapd.pem? | | -- Kai Lanz [EMAIL PROTECTED] | From: Mark Crispin <[EMAIL PROTECTED]> | Subject: Re: UW imapd and InstantSSL certs | | On Thu, 1 Jul 2004, Kai Lanz wrote: | > InstantSSL gives us *two* certificates: a host certificate and a CA | > certificate, i.e. a Comodo intermediate certificate. Can the UW imapd | > work with this certificate-plus-intermediate configuration? What do | > I need to do to prepare our new imapd.pem? | | I don't know enough about this to give a guaranteed answer. Hey, I just | wrote the code, what makes anyone thing I know anything! :-) | | But anyway, it sounds to me that your host certificate is what would | become your imapd.pem (and is a private key for imapd). | | Separately, you want to install the CA certificate, including making the | funny symlink via | ln -s Comodo.pem `/usr/local/ssl/bin/openssl x509 -noout -hash < Comodo.pem`.0 | (substitute the CA certificate's file name for "Comodo.pem") which will | make a symlink with an 8-digit hex value and an extension of .0 that | points to the CA certificate's PEM file | | The CA certificate is for Pine to be able to validate what IMAP offers; so | the CA certificate should be publicly-readable and the imapd.pem should be | read-protected. | | -- Mark -- | From: [EMAIL PROTECTED] (Jim Seymour) | Subject: Re: UW imapd and InstantSSL certs | | Kai Lanz <[EMAIL PROTECTED]> wrote: | > | > | [snip] | > | > InstantSSL gives us *two* certificates: a host certificate and a CA | > certificate, i.e. a Comodo intermediate certificate. Can the UW imapd | > work with this certificate-plus-intermediate configuration? What do | > I need to do to prepare our new imapd.pem? | | Luckily (for you) I just went through this. (UW IMAP's pop3d and | Postfix SMTP-AUTH/TLS/STARTTLS) | | There will be four components to what you'll have to put in imapd.pem, | when using InstantSSL/Comodo certs: | | Server private key | Your server cert. | N-year Comodo intermediate cert. | GTE N-year root (?) cert. | | I don't know if the order's important, but that's the order I put them | in. | | Hope this helped. | | (Btw: I've been quite pleased with InstantSSL.) | | Jim | | From: Kai Lanz <[EMAIL PROTECTED]> | Subject: SUMMARY: UW imapd and InstantSSL certs | | | Thanks to Mark Crispin and Jim Seymour for their quick responses. | I had asked about setting up the imapd.pem file using the several | certificates we get from InstantSSL. | | Jim's suggestion seems to be working for us: | | >There will be four components to what you'll have to put in imapd.pem, | >when using InstantSSL/Comodo certs: | > | > Server private key | > Your server cert. | > N-year Comodo intermediate cert. | > GTE N-year root (?) cert. | | I catted these four files into a new imapd.pem for our server: | | # cat server.key ourhost_domain_edu.crt ComodoSecurityServicesCA.crt \ | GTECyberTrustGlobalRoot.crt > imapd.pem.new | | Tests with Eudora and the MacOS X Mail.app clients worked as expected. | I'll probably set up the symlink Mark mentioned as well. | So there you go, Randall, hope this helps. Jim
