[Imap-uw] Re: [Imap-use] Howto use certificate tree

Tue, 13 Mar 2012 18:27:52 -0700 

On Tue, 13 Mar 2012, Heiko L. wrote:


Hallo


Howto copy cert into imapd.pem that works SSL with uw-imap-2007f?
details s. following tests.


regards Heiko
---------------------------------------------------------------
- test5
rm imapd.pem
cat /tmp/deutsche-telekom-root-ca-2.pem>> imapd.pem
cat /tmp/cacert_global_root_ca.pem >>  imapd.pem
cat ~/server.key >> imapd.pem
cat cert-mydn.pem >>  imapd.pem

result:
                           SSL negotiation failed

---------------------------------------------------------------
- test6
rm imapd.pem
cat ~/server.key >> imapd.pem
cat cert-mydn.pem >>  imapd.pem
cat /tmp/cacert_global_root_ca.pem >>  imapd.pem
cat /tmp/deutsche-telekom-root-ca-2.pem>> imapd.pem

result:
               unable to get local issuer certificate (details)
For what it's worth, here's what we're using for our imapd certifcate files: 

1) host certificate
2) host private key (unencrypted)
3) intermediate CA certicate
4) Global-Root-CA certificate

It looks like your test6 is almost this way.

Put them in the /etc/ssl/certs directory (or where ever the OpenSSL certs
dir is for your distro). Be sure to protect them mode 0400 owned by root,
those private keys need to be unencrypted.

I don't know if it's necessary, but I also put the global-root-CA &
intermediate-CA certs in seperate files in the /etc/ssl/certs
directory and ran the "c_rehash" program to build the fingerprint
links.

Note that if your server has more than one IP-address/hostname, then
you'll need to append the IP address to the name to indicate which
cert file to use for a given connection. If your server support both
IPv4 & IPv6 you'll need both forms of the addresses in the
name suffix.


--
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw

Reply via email to