Re: [Web-cyradm] creating TLS/SSL certificate

Wed, 28 Nov 2007 22:59:47 -0800 

Hi.
Of course official certificate is always better, if you plan to offer services more widely than inside the company etc. Otherwise it doesn't give any extra security to have your certificate signed by a "trusted" party. You trust yourself, don't you ;)? Certificates expire after the date you set them expire. In the example copied from the HOWTO, they expire after 999 days (~3 years). I usually set the expire to 3650, got tired creating new certificates. Using the same self signed root-certificate to sign actual certificates (imaps, https) keeps it simple and clear. 

w/regards,

 Mikko Toivola


On 27.11.2007, at 7:56, jekillen wrote:


regarding the following text from

Postfix-Cyrus-Web-cyradm-HOWTO

Creating the TLS/SSL Certificate


If you want to enable Cyrus' TLS/SSL facilities, you have to create  
a certificate first. This requires an OpenSSL installation


openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req \
-signkey new.key.pem -days 999

mkdir /var/imap

cp new.key.pem /var/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/imap/server.pem

chown cyrus:mail /var/imap/server.pem
chmod 600 /var/imap/server.pem # Your key should be protected

echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf

Would it not be more appropriate and credible to get an
official certificate, or use one that already is in effect for
other ssl related network activity; E.G. https?

I have created certificates for Apache for testing ssl
connections.  But these expire after a year and are
not recognized by commercial web and e-mail software
( an why would they? It would defeat the purpose).

Thanks
Jeff K

_______________________________________________
This mailing list is hosted and supported
by bit-heads GmbH | http://www.bit-heads.ch

_______________________________________________
Web-cyradm mailing list
[email protected]
http://www.web-cyradm.org/mailman/listinfo/web-cyradm


_______________________________________________
This mailing list is hosted and supported
by bit-heads GmbH | http://www.bit-heads.ch

_______________________________________________
Web-cyradm mailing list
[email protected]
http://www.web-cyradm.org/mailman/listinfo/web-cyradm






















					Reply via email to