Re: [qmailtoaster] Re: STARTTLS + ComodoSSL Free + 2048 Encryption

[Richard Baxant]

Yes I followed the first part. It gave me the information to cat the files
to create the pem. The rest is self-signed certs and I do not want that
part.


On Sat, Feb 1, 2014 at 10:52 AM, Eric Shubert e...@shubes.net wrote:

 On 02/01/2014 08:09 AM, Richard Baxant wrote:

 Has anyone got this to work in qmailtoaster with this brand of SSL at
 2048 encryption?

 I can see that qmail has the clientcert.pem - servercert.pem. I looked
 at the internals of the file to see the order of the keys. I cannot
 figure out other than the test cert is 1024 encryption and mine is 2048.

 Comodo gives 2 files after you provide the server.csr:
 domain_com.ca-bundle  domain_com.crt

 I have tried variations of cat Using the myserver.key on the files to
 create the pem file, restarting qmail after each change and I get a
 failure each time in Thunderbird for STARTTLS with a no authentication.

 Anyone have some insight as to where i am going wrong?

 The orignal test cert that comes with the qmailtoaster works with an
 obvious warning due the information provided does not match my server

 I am also aware that I can create a self-signed cert but that is not
 what i am trying to accomplish

 Thanks in advance

 ricbax


 Is this helpful?:
 http://wiki.qmailtoaster.com/index.php/Certificate

 --
 -Eric 'shubes'


 -
 To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com

Re: [qmailtoaster] Re: STARTTLS + ComodoSSL Free + 2048 Encryption

[Eric Broch]

Here's my procedure. It works every time. Take special note of #5 below.

# 1. Create the key (below). For other than a self-signed cert. use
options other than 1c.
   1a ) openssl genrsa -out x.key 2048
1b) openssl req -new -key x.key -out x.csr
1c) openssl x509 -req -days 3650 -in x.csr -signkey x.key -out x.crt
1d) cat x.crt x.key   mailkey.crt
# 2. Copy the key (mailkey.crt) to /var/qmail/control/servercert.pem
# 3. Restart Qmail
# 4. Import the key to trusted root server in Internet Explorer
# 5. Make sure the name of the server (CN) when creating the
certificate, whether FQDN
#or IP address, is used in the server information incoming and
outgoing fields
#of the mail client.
# 6. Restart the mail client



On 2/1/2014 9:26 AM, Richard Baxant wrote:
 Yes I followed the first part. It gave me the information to cat the
 files to create the pem. The rest is self-signed certs and I do not
 want that part.


 On Sat, Feb 1, 2014 at 10:52 AM, Eric Shubert e...@shubes.net
 mailto:e...@shubes.net wrote:

 On 02/01/2014 08:09 AM, Richard Baxant wrote:

 Has anyone got this to work in qmailtoaster with this brand of
 SSL at
 2048 encryption?

 I can see that qmail has the clientcert.pem - servercert.pem.
 I looked
 at the internals of the file to see the order of the keys. I
 cannot
 figure out other than the test cert is 1024 encryption and
 mine is 2048.

 Comodo gives 2 files after you provide the server.csr:
 domain_com.ca-bundle  domain_com.crt

 I have tried variations of cat Using the myserver.key on the
 files to
 create the pem file, restarting qmail after each change and
 I get a
 failure each time in Thunderbird for STARTTLS with a no
 authentication.

 Anyone have some insight as to where i am going wrong?

 The orignal test cert that comes with the qmailtoaster works
 with an
 obvious warning due the information provided does not match my
 server

 I am also aware that I can create a self-signed cert but that
 is not
 what i am trying to accomplish

 Thanks in advance

 ricbax


 Is this helpful?:
 http://wiki.qmailtoaster.com/index.php/Certificate

 -- 
 -Eric 'shubes'


 -
 To unsubscribe, e-mail:
 qmailtoaster-list-unsubscr...@qmailtoaster.com
 mailto:qmailtoaster-list-unsubscr...@qmailtoaster.com
 For additional commands, e-mail:
 qmailtoaster-list-h...@qmailtoaster.com
 mailto:qmailtoaster-list-h...@qmailtoaster.com