On Fri, Sep 28, 2001 at 09:02:52AM +0200, Ishai Parasol wrote: > Hi > > I have installed QPopper4.0.3 with tls/ssl enabled and I'm trying to make > the tls/ssl keys, > following the instructions in the user manual. My problem is that I don't > understand what to do next after creating the cert.pem file. what I did was: > openssl req -new -nodes -out -req.pem - keyout /etc/mail/certs/cert.pem > > But here the manual tells me to send the certificate signing request > (req.pem) to my certificate authority signing and I should get back a signed > request. > If one of you guys has any expereience with this subject I'll be really glad > to get an > explanation what excatly should I do here, where to send what ?
You have two options: 1. If you plan to have this server offering services to the broad population, you'd want to order a certificate from one of the CAs (e.g. Thawte). The CA will request your official papers and certify that you're a real entity (person or company). The verification process and the certificate will, of course, cost you money. The technical procedure is: a. Generate a certificate request and private key with 'openssl req'. b. Send the req.pem to the CA and wait for them to verify your documents and send you back a signed certificate. 2. If you plan to have this server offering services to yourself or just people in your organization, friends etc. you can generate the certificate yourself. The SSL-supporting mailers will present a warning upon connecting (since it's not an official CA-signed certificate), but if the users trust you, they can tell the mailer to explicitly trust your certificate. The technical procedure is: a. Generate a certificate with 'openssl req': openssl req -new -x509 -nodes -days 365 -newkey rsa:1024 -keyout 'key' -out 'certificate' (*) -nodes specifies the private key won't be encrypted and won't require you to input a password to use it. It might be the best option for you if you want QPopper to be able to start up unattended (instead of waiting for someone to type a password on the server's console. (**) -x509 allows you to skip the certificate request generation step. The resulting certificate would be "self-signed", which should be enough for your needs. (***) -days 365 indicate how many days from today the certificate will be valid. ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
