Here's my procedure. It works every time. Take special note of #5 below.
# 1. Create the key (below). For other than a self-signed cert. use
options other than 1c.
1a ) openssl genrsa -out x.key 2048
1b) openssl req -new -key x.key -out x.csr
1c) openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
1d) cat x.crt x.key > mailkey.crt
# 2. Copy the key (mailkey.crt) to /var/qmail/control/servercert.pem
# 3. Restart Qmail
# 4. Import the key to trusted root server in Internet Explorer
# 5. Make sure the name of the server (CN) when creating the
certificate, whether FQDN
# or IP address, is used in the server information incoming and
outgoing fields
# of the mail client.
# 6. Restart the mail client
On 2/1/2014 9:26 AM, Richard Baxant wrote:
> Yes I followed the first part. It gave me the information to cat the
> files to create the pem. The rest is self-signed certs and I do not
> want that part.
>
>
> On Sat, Feb 1, 2014 at 10:52 AM, Eric Shubert <e...@shubes.net
> <mailto:e...@shubes.net>> wrote:
>
> On 02/01/2014 08:09 AM, Richard Baxant wrote:
>
> Has anyone got this to work in qmailtoaster with this brand of
> SSL at
> 2048 encryption?
>
> I can see that qmail has the clientcert.pem -> servercert.pem.
> I looked
> at the internals of the file to see the order of the keys. I
> cannot
> figure out other than the test cert is 1024 encryption and
> mine is 2048.
>
> Comodo gives 2 files after you provide the server.csr:
> domain_com.ca-bundle & domain_com.crt
>
> I have tried variations of "cat" Using the myserver.key on the
> files to
> create the "pem" file, restarting qmail after each change and
> I get a
> failure each time in Thunderbird for STARTTLS with a no
> authentication.
>
> Anyone have some insight as to where i am going wrong?
>
> The orignal test cert that comes with the qmailtoaster works
> with an
> obvious warning due the information provided does not match my
> server
>
> I am also aware that I can create a self-signed cert but that
> is not
> what i am trying to accomplish
>
> Thanks in advance
>
> ricbax
>
>
> Is this helpful?:
> http://wiki.qmailtoaster.com/index.php/Certificate
>
> --
> -Eric 'shubes'
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> qmailtoaster-list-unsubscr...@qmailtoaster.com
> <mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com>
> For additional commands, e-mail:
> qmailtoaster-list-h...@qmailtoaster.com
> <mailto:qmailtoaster-list-h...@qmailtoaster.com>
>
>
