Lee Hoffman schrieb am Thu, May 23, 2002 at 06:23:25PM -0400: > Hey all, > So after finally getting ssl working with a self-signed certificate, Im > trying to make the certificate legit by getting a Thawte signed > certificate. I read through the cyrus docs and followed them to create > the original self-signed server.pem file (which worked). My question is > how do I then generate a CSR from that server.pem file, that I can then > submit to thawte? Likewise, when I get the new certificate back from > thawte, do I just paste it into the existing server.pem file, replacing > the key part of the file? Also, does the command cyrus recommends > "openssl req -new -x509 -nodes -out /var/imap/server.pem -keyout > /var/imap/server.pem -days 365" create a 128 bit key pair? > > BTW, I also tried following the instructions for Openssl key/csr/crt > creation on thawte's website (see below). I then changed the cyrus.conf > to point to the new key and self-signed certificate and it caused cyrus > to reject ssl logins with the error: "unable to get private key from > '/var/imap/servername.com.key' (which does exist and is readable by the > cyrus user.
AFAIK Thawte does not use .pem which is a pain with cyrus. The keyfile you mentioned is fine with apache and the like, but you have to a) convert it to .pem and (see openssl docs for this) b) strip off any passphrase protection (dito) to make it usable with cyrus. This is at least what I had to do with my Thawte signed cert to enable imaps/pops. If you don't disable passphrase protection, imaps will ask for it upon every client connect (which is completely useless as the client should not know the passphrase and even if he had it, he cannot provide it as he has no controlling tty openssl expects). Regards, Birger
