Hello all;
Is anyone knows if it's possible to have a dual certificate setup on
dovecot like in postfix or apache ?
i tried to add several crts in local name section :
local_name imap.server.tdl {
ssl_cert = <server_rsa_crt.pem
ssl_key = <server_rsa_key.pem
ssl_cert = <server_ecdsa_crt.pem
ssl_key = <server_ecdsa_key.pem
}
but it seems that dovecot takes the last one (ecdsa) and that rsa cert is
not used.
to check if booth are working, i check with openssl:
openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls
imap -servername imap.server.tdl -cipher ECDHE-RSA-AES128-GCM-SHA256 for
rsa
and
openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls
imap -servername imap.server.tdl -cipher ECDHE-ECDSA-AES128-GCM-SHA256 for
ecdsa
In apache we have to duplicate the cert / key lines one for rsa, one for
edcda.
In postfix, we have some specific ecdsa conf keys.
So is there a way to do the same in dovecot ?
On 02 Mar 2016, at 10:02, Jean-Baptiste Vignaud <flint42 at gmail.com> wrote:> > Hello all; > > > Is anyone knows if it's possible to have a dual certificate setup on > dovecot like in postfix or apache ? > > i tried to add several crts in local name section : > > local_name imap.server.tdl { > ssl_cert = <server_rsa_crt.pem > ssl_key = <server_rsa_key.pem > ssl_cert = <server_ecdsa_crt.pem > ssl_key = <server_ecdsa_key.pem > } > > but it seems that dovecot takes the last one (ecdsa) and that rsa cert is > not used.Would it work if you had a single .pem file containing both certs and a single file containing both keys?> In apache we have to duplicate the cert / key lines one for rsa, one for > edcda. > > In postfix, we have some specific ecdsa conf keys. > > So is there a way to do the same in dovecot ?Looks like from OpenSSL code point of view the same cert/key loading functions can simply be called multiple times. There's currently no way to trigger that in Dovecot. But maybe the single .pem file would happen to work as well? If not, this would need some config changes and I'm not sure what would be the nicest way..
Google multi domain certificates. Comodo sells a multi domain wild card certificate that we use to host multiple SSL domains on dovecot and postfix successfully. You install the single certificate and reissue and reinstall after adding a new domain.> On Mar 2, 2016, at 2:02 AM, Jean-Baptiste Vignaud <flint42 at gmail.com> wrote: > > Hello all; > > > Is anyone knows if it's possible to have a dual certificate setup on > dovecot like in postfix or apache ? > > i tried to add several crts in local name section : > > local_name imap.server.tdl { > ssl_cert = <server_rsa_crt.pem > ssl_key = <server_rsa_key.pem > ssl_cert = <server_ecdsa_crt.pem > ssl_key = <server_ecdsa_key.pem > } > > but it seems that dovecot takes the last one (ecdsa) and that rsa cert is > not used. > > > to check if booth are working, i check with openssl: > > openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls > imap -servername imap.server.tdl -cipher ECDHE-RSA-AES128-GCM-SHA256 for > rsa > > and > > openssl s_client openssl s_client -connect imap.server.tdl:143 -starttls > imap -servername imap.server.tdl -cipher ECDHE-ECDSA-AES128-GCM-SHA256 for > ecdsa > > In apache we have to duplicate the cert / key lines one for rsa, one for > edcda. > > In postfix, we have some specific ecdsa conf keys. > > So is there a way to do the same in dovecot ? >
On Wed, Mar 2, 2016 at 3:44 PM, Timo Sirainen <tss at iki.fi> wrote:> > > Would it work if you had a single .pem file containing both certs and a > single file containing both keys? >OK, just tried this configuration but only the first certificate is working. I used this order : rsa cert, ecdsa cert, intermediate and this one : rsa cert, intermediate, ecdsa cert, intermediate in this case, both rsa and ec are signed by the same intermediate.> > In apache we have to duplicate the cert / key lines one for rsa, one for > > edcda. > > > > In postfix, we have some specific ecdsa conf keys. > > > > So is there a way to do the same in dovecot ? > > Looks like from OpenSSL code point of view the same cert/key loading > functions can simply be called multiple times. There's currently no way to > trigger that in Dovecot. But maybe the single .pem file would happen to > work as well? If not, this would need some config changes and I'm not sure > what would be the nicest way.. >Perhaps the same way as postfix, to have a ssl_ecdsa_cert and a ssl_ecsda_key parameters ? Anyway, this is not urgent matters, it's just that now that let's encrypt give free rsa and ec certificates i wanted to use them both :)