On Thu, 26 Sep 2013, Andrew Daviel wrote:
We have had UW imapd-2007e running fine for some time.
Recently our SSL certificate provider announced that we had to upgrade our
1024-bit certificate to 2048 before it was revoked.
The replacement they provided is not signed by a CA in the Mozilla store (and
hence OpenSSL which copies it) - it uses an intermediate certificate.
I got Apache to work by following instructions and defining
SSLCertificateChainFile
OpenLdap seems happy with the intermediate certificate added to the bundle
defined as TLSCACertificateFile.
But imapd does not. It uses a PEM file with both the key and certificate, and
the OpenSSL library. OpenSSL (at least, the "openssl" shell command), uses
the bundle in /etc/pki/tls/cert.pem. But Alpine, at least, is unhappy if I
just add the intermediate certificate to that.
Is there a solution ? Or should we just order a "proper" directly-signed
certificate ?
uw-imap-2007e
openssl-0.9.8e-20
CentOS 5.7
Linux 2.6.18 x86_64
A properly constructed cert including the intermediate chain in the
cert file should work with uw-imap-2007e. I've been using it that
way for over 3 years now. (with two different CAs, Thawte & Comodo).
As more of the root CAs are moving to intermediate chaining certs,
it's going to be increasingly difficult to get "proper" direct-signed
certs, so you might as well figure out how to make it work now.
The trick is to place all the necessary components in your imap/pop
cert file in the correct order.
It will look like:
-----BEGIN CERTIFICATE-----
01234...Data for client cert...
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
01234... Data for client private key ...
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
1234... Data for intermediate CA cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
1234... Data for Root CA cert
-----END CERTIFICATE-----
Where "01234...Data for ..." represents the base-64 PEM
encoded data block for that particular cert component.
(usually a couple dozen lines.)
Dave
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
_______________________________________________
Imap-uw mailing list
[email protected]
http://mailman2.u.washington.edu/mailman/listinfo/imap-uw
