On Nov 28, 2007, at 10:58 PM, Mikko Toivola wrote:
Hi.
Of course official certificate is always better, if you plan to offer
services more widely than inside the company etc. Otherwise it doesn't
give any extra security to have your certificate signed by a "trusted"
party. You trust yourself, don't you ;)? Certificates expire after the
date you set them expire. In the example copied from the HOWTO, they
expire after 999 days (~3 years). I usually set the expire to 3650,
got tired creating new certificates. Using the same self signed
root-certificate to sign actual certificates (imaps, https) keeps it
simple and clear.
w/regards,
Mikko Toivola
Now that you mention it, there was something about ssl not supported
and the interface was intended to be use at and on localhost
if I understand correctly, So a formal cert would be like a gold plated
door knob on the inside of your closet door. But I have other
reasons to have a formal cert. But this I can do to get up and running.
All of this software is a significant bundle for me, so as I
learn by doing I do not want to do too much at once and get lost.
Thanks for the response.
Jeff K
On 27.11.2007, at 7:56, jekillen wrote:
regarding the following text from
Postfix-Cyrus-Web-cyradm-HOWTO
Creating the TLS/SSL Certificate
If you want to enable Cyrus' TLS/SSL facilities, you have to create a
certificate first. This requires an OpenSSL installation
openssl req -new -nodes -out req.pem -keyout key.pem
openssl rsa -in key.pem -out new.key.pem
openssl x509 -in req.pem -out ca-cert -req \
-signkey new.key.pem -days 999
mkdir /var/imap
cp new.key.pem /var/imap/server.pem
rm new.key.pem
cat ca-cert >> /var/imap/server.pem
chown cyrus:mail /var/imap/server.pem
chmod 600 /var/imap/server.pem # Your key should be protected
echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf
echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf
Would it not be more appropriate and credible to get an
official certificate, or use one that already is in effect for
other ssl related network activity; E.G. https?
I have created certificates for Apache for testing ssl
connections. But these expire after a year and are
not recognized by commercial web and e-mail software
( an why would they? It would defeat the purpose).
Thanks
Jeff K
_______________________________________________
This mailing list is hosted and supported
by bit-heads GmbH | http://www.bit-heads.ch
_______________________________________________
Web-cyradm mailing list
[email protected]
http://www.web-cyradm.org/mailman/listinfo/web-cyradm
