voytek at sbt.net.au
2017-Aug-20 23:37 UTC
ot: self certified enduser browser/mail client install?
I have self certified Dovecot as so:
ssl = required
ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
ssl_key = </etc/pki/dovecot/private/dovecot.pem
userdb {
args = /etc/dovecot/dovecot-mysql.conf
driver = sql
}
in order for end user to avoid webmail warnings or email client warnings,
do I make this file /etc/pki/dovecot/certs/dovecot.pem available to users
say under httpd://webhost/tld/certificate/dovecot.pem
and, tell users to import dovecot.pem (from
/etc/pki/dovecot/certs/dovecot.pem) into their PC/browser/mailclient
certs?
(sorry for dumb Q, but I thought I should ask before I commit some
fundamental stuffup)
Christian Kivalo
2017-Aug-21 05:25 UTC
ot: self certified enduser browser/mail client install?
Am 21. August 2017 01:37:26 MESZ schrieb voytek at sbt.net.au:>I have self certified Dovecot as so: > >ssl = required >ssl_cert = </etc/pki/dovecot/certs/dovecot.pem >ssl_key = </etc/pki/dovecot/private/dovecot.pem >userdb { > args = /etc/dovecot/dovecot-mysql.conf > driver = sql >} > >in order for end user to avoid webmail warnings or email client >warnings, >do I make this file /etc/pki/dovecot/certs/dovecot.pem available to >users >say under httpd://webhost/tld/certificate/dovecot.pem > >and, tell users to import dovecot.pem (from >/etc/pki/dovecot/certs/dovecot.pem) into their PC/browser/mailclient >certs? > >(sorry for dumb Q, but I thought I should ask before I commit some >fundamental stuffup)You would publish the ca cert to your users, thats the one you used to sign your cert. -- Christian Kivalo
Steffen Kaiser
2017-Aug-21 05:49 UTC
ot: self certified enduser browser/mail client install?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 21 Aug 2017, voytek at sbt.net.au wrote:> in order for end user to avoid webmail warnings or email client warnings, > do I make this file /etc/pki/dovecot/certs/dovecot.pem available to users > say under httpd://webhost/tld/certificate/dovecot.pemMost likely yes. It should work regardless if the cert is self-signed or not. However, you could try to find the upper-most cert by running openssl x509 -in /etc/pki/dovecot/certs/dovecot.pem -noout -text|less Check out the Issuer and Subject near the top of the outout: Signature Algorithm: sha256WithRSAEncryption Issuer: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=dovecot.example.com/emailAddress=me at example.com Validity Not Before: Aug 21 05:36:49 2017 GMT Not After : Aug 21 05:36:49 2018 GMT Subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=dovecot.example.com/emailAddress=me at example.com If both are the same, it's the correct one. Then you really have a self-signed certificate. Otherwise hunt for the "issuer" cert and hand that your users. That would be your CA cert. - -- Steffen Kaiser -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEVAwUBWZp0Tnz1H7kL/d9rAQJcIQf/ZwxUQPbiTEyQyPfyE+Xk/4AVrvgV7C3s lBqeIfNT54UDlu8p7kzNRau1Kmt+nTwQWsLYBY5hlZmZ51RI0p1UbnKufNT3MBAZ hOS0QdSvC6ZU2MzQb0tXRAIEP/dCWu1HlQSi/ov9Fp4UlYg5DsnQee9xwWucyIZb a5nBKonHvaTJpj3YHYKVZojx215uFOFzOJ928khof7KwEqXmTEmTQ+bdLtTHVFWr JSIdez3j1lUOpAmAgG05tAgGfwdArfx3DpVY8tIAEj5rRpZ4nfEM/lvPDndrzP0I ovWb7FQDJrnv7t8YO8u3AxUQYUC/lHYtMzq4s9Dgm2LFEC3z9rbOoA==6qb8 -----END PGP SIGNATURE-----