Mark, Thank you! I followed your suggestion and it works like a charm, so the problem itself is solved... of course, I'm not particularly sure why this works when the regular CA.pl signing script doesn't. What is being done here that isn't being done by the CA script?
Sage ----- Original Message ----- From: "Mark D. Baushke" <[EMAIL PROTECTED]> To: "Sage" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, April 05, 2002 1:27 AM Subject: Re: imaps/pop3s certificates > Hi Sage, > > I have done something like the following in a similar situation... > > mkdir new-directory > cd new-directory > echo create a new Certificate Authority certificate > CA.pl -newca > mv demoCA/cacert.pem demoCA/cacert.pem.old > openssl x509 -in demoCA/cacert.pem.old -signkey demoCA/private/cakey.pem \ > -days 1825 -out demoCA/cacert.pem > rm demoCA/cacert.pem.old > openssl x509 -inform pem -in demoCA/cacert.pem -outform der -out demoCA/cacert.der > > echo now create and sign the new mail certificate > openssl req -new -nodes -keyout mail.key.pem -out mail.req.pem > openssl ca -policy policy_anything -out mail.cert.pem -infiles mail.req.pem > openssl gendh 512 > mail.dh.pem > echo now paste everything together that you need > echo the private key, the signed certificate and the dh parameters > cat mail.key.pem mail.cert.pem mail.dh.pem > ipop3d.pem > > Now place copies of demoCA/cacert.pem and demoCA/cacert.der on a web > page someplace where folks can download them and add them to their > mail user agent. > > You should now be able to test your pop3 server using something like > > openssl s_client -CAfile cacert.pem -showcerts -host 127.1 -port 995 > > There are probably 'better' ways to do the job, but the above seems to > work okay for me. > > Good luck, > -- Mark > > > Message-ID: <005f01c1dc4d$5b9a5cc0$6f5ce0ce@webmaster> > > From: "Sage" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Subject: imaps/pop3s certificates > > Date: Thu, 4 Apr 2002 20:55:31 -0600 > > > > I'm using RedHat 7.1, which has its own SSL-wrapped pop3 server. Turning it > > on is simply a matter of running ntsysv and checking the "pop3s" option. It > > does, however, require a digital certificate in order to run. I can cd to > > /usr/share/ssl/certs and run "make ipop3d.pem" but this only produces a > > self-signed test certificate. It works, and the server runs, but an email > > client (most notably Outlook Express) will query the user as to whether he > > or she wants to trust the self-signed certificate before it will connect to > > the server. And it has to ask the user this every time the email client > > opens. I want to eliminate this. > > > > I would have thought that I could create my own self-signed CA certificate, > > and use that to sign the cert used by the pop3s server, but I can't even get > > the server to run using the certs that I make with openssl. I'm using the > > CA.sh and CA.pl scripts, and following the obvious steps in order: > > ./CA.sh -newca, ./CA.sh -newreq, ./CA.sh -sign > > > > This all seems to work, and generates a newcert.pem file for me, but this is > > very different from the self-signed ipop3d.pem cert that is generated by > > 'make'. The ipop3d.pem file includes an RSA Private Key, and the > > newcert.pem file does not (at least, as far as I can see). The newcert.pem > > file also includes a lot of header info that I don't understand (forgive me, > > I'm very new to this), and which is not included in the ipop3d.pem file. If > > I try to use the newcert.pem file as the certificate for the secure pop3 > > server, the server won't run at all. > > > > I'm stuck. I've been trying for two full days to get this to work, and I > > guess it's time to admit I need help... is it even possible to do what I'm > > trying to do, and if so, what am I doing wrong? Can anybody help? > > > > I'm using RedHat 7.1 and OpenSSL 0.9.6-3. If anybody can help me figure out > > what I'm doing wrong, I'd greatly appreciate it. :) > > > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List [EMAIL PROTECTED] > > Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
