Re: Setting up good certs for ports/mail/imap-uw?
On Jul 28, 2004, at 6:58 PM, Tom Limoncelli wrote: The instructions for ports/mail/imap-uw tell you that make cert generates certs that are self-signed and warns you that it is better to get real certs but doesn't explain how to do that. Any suggestions? Thanks to Simon J. Oliver for the answer. The .csr isn't generated. Here's a patch for the Makefile (submitted to the port maintainer) to generate the file. Or you can manually do: cd /usr/local/certs openssl x509 -x509toreq -in imapd.pem -signkey imapd.pem -out imapd.csr The imapd.csr file is the data that gets submitted to the signing authority. --Tom *** /usr/ports/mail/imap-uw/Makefile.ORIG Sun Aug 1 21:07:54 2004 --- /usr/ports/mail/imap-uw/MakefileSun Aug 1 21:43:26 2004 *** *** 113,119 --- 113,123 @${INSTALL} -d -o root -g wheel -m 0755 ${PREFIX}/certs @openssl req -new -x509 -days 365 -nodes -config ${FILESDIR}/imap-uw.cnf -out ${PREFIX}/certs/imapd.pem -keyout ${PREFIX}/certs/imapd.pem @openssl x509 -subject -dates -fingerprint -noout -in ${PREFIX}/certs/imapd.pem + @openssl x509 -x509toreq -in ${PREFIX}/certs/imapd.pem -signkey ${PREFIX}/certs/imapd.pem -out ${PREFIX}/certs/imapd.csr @${CHMOD} 700 ${PREFIX}/certs/imapd.pem @${LN} -s ${PREFIX}/certs/imapd.pem ${PREFIX}/certs/ipop3d.pem ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Setting up good certs for ports/mail/imap-uw?
Tom Limoncelli wrote: The instructions for ports/mail/imap-uw tell you that make cert generates certs that are self-signed and warns you that it is better to get real certs but doesn't explain how to do that. Any suggestions? real certs are ones signed by a well-known registrar like Verisign, EnTrust, Thawte, etc. To get one, you generate a CSR (certificate signing request) as done in make cert, only you send that CSR to the registrar and pay them to sign it, very much like one does when getting a real SSL cert to do HTTPS. There is nothing magic about the well-known registrars, except that their CA certificates already ship as pre-trusted with the email clients and web browsers that most people use. -- -Chuck ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]