Re: [qmailtoaster] Re: STARTTLS + ComodoSSL Free + 2048 Encryption

Sat, 01 Feb 2014 11:15:28 -0800 

Here's my procedure. It works every time. Take special note of #5 below.

# 1. Create the key (below). For other than a self-signed cert. use
options other than 1c.
   1a ) openssl genrsa -out x.key 2048
    1b) openssl req -new -key x.key -out x.csr
    1c) openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
    1d) cat x.crt x.key >  mailkey.crt
# 2. Copy the key (mailkey.crt) to /var/qmail/control/servercert.pem
# 3. Restart Qmail
# 4. Import the key to trusted root server in Internet Explorer
# 5. Make sure the name of the server (CN) when creating the
certificate, whether FQDN
#    or IP address, is used in the server information incoming and
outgoing fields
#    of the mail client.
# 6. Restart the mail client



On 2/1/2014 9:26 AM, Richard Baxant wrote:
> Yes I followed the first part. It gave me the information to cat the
> files to create the pem. The rest is self-signed certs and I do not
> want that part.
>
>
> On Sat, Feb 1, 2014 at 10:52 AM, Eric Shubert <[email protected]
> <mailto:[email protected]>> wrote:
>
>     On 02/01/2014 08:09 AM, Richard Baxant wrote:
>
>         Has anyone got this to work in qmailtoaster with this brand of
>         SSL at
>         2048 encryption?
>
>         I can see that qmail has the clientcert.pem -> servercert.pem.
>         I looked
>         at the internals of the file to see the order of the keys. I
>         cannot
>         figure out other than the test cert is 1024 encryption and
>         mine is 2048.
>
>         Comodo gives 2 files after you provide the server.csr:
>         domain_com.ca-bundle & domain_com.crt
>
>         I have tried variations of "cat" Using the myserver.key on the
>         files to
>         create the "pem" file, restarting qmail after each change and
>         I get a
>         failure each time in Thunderbird for STARTTLS with a no
>         authentication.
>
>         Anyone have some insight as to where i am going wrong?
>
>         The orignal test cert that comes with the qmailtoaster works
>         with an
>         obvious warning due the information provided does not match my
>         server
>
>         I am also aware that I can create a self-signed cert but that
>         is not
>         what i am trying to accomplish
>
>         Thanks in advance
>
>         ricbax
>
>
>     Is this helpful?:
>     http://wiki.qmailtoaster.com/index.php/Certificate
>
>     -- 
>     -Eric 'shubes'
>
>
>     ---------------------------------------------------------------------
>     To unsubscribe, e-mail:
>     [email protected]
>     <mailto:[email protected]>
>     For additional commands, e-mail:
>     [email protected]
>     <mailto:[email protected]>
>
>

Reply via email to