Hi, I'm trying to get apache, sendmail , and dovecot to use SSL certs signed by my own CA. I've got the apache certs working fine. However, dovecot ( I haven't even tried sendmail yet) doesn't seem to accept any of the certificates that I create for it. There is a script that comes with dovecot that creates self-signed certificates for you but, I need certificates signed by my own CA. I found this tutorial http://homepage.mac.com/pauljlucas/personal/macmini/certs.html it shows you how to create a csr for dovecot that you can send to a CA. I signed it using CA.pl -sign. however, the certificate isn't accepted by dovecot. Unfortunately, dovecot doesn't log anything to maillog at failed startup. Just looking at the certificate contents I noticed that the self-signed certificates don't have all kinds of publisher information at the beginning of them like the apache certs. So I think what I'm missing is the difference between all the different cert types. I know that there are pem and cert ssl cert types, at least different extensions. Can anyone tell my what the difference is? are the certs suitable for apache and others for mail applications? is there a converter? Could it be the way that I'm signing the certificates? Any help would be appreciated. Thanks, Reply With Quote __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com
blaq b0x wrote:> I'm trying to get apache, sendmail , and dovecot to > use SSL certs signed by my own CA. I've got the apache > certs working fine.Did you remember to tell Dovecot what CA was use to sign the cert? You should have already extracted the trusted root public key for Apache's usage, so you should change this line:> # File containing trusted SSL certificate authorities. Usually not needed. > #ssl_ca_fileto point to the CA's trusted root file. SSL certs must have the entire chain available in order to be trusted. HTH John -- John Peacock Director of Information Research and Technology Rowman & Littlefield Publishing Group 4501 Forbes Boulevard Suite H Lanham, MD 20706 301-459-3366 x.5010 fax 301-429-5748
placey at wanderingbarque.com
2005-Sep-20 17:52 UTC
[Dovecot] signing dovecot certs with own Cert. Auth.
> Hi, > > I'm trying to get apache, sendmail , and dovecot to > use SSL certs signed by my own CA. I've got the apache > certs working fine. However, dovecot ( I haven't even > tried sendmail yet) doesn't seem to accept any of the > certificates that I create for it. There is a script > that comes with dovecot that creates self-signed > certificates for you but, I need certificates signed > by my own CA.I cover exactly this in my HOWTO, except it's for Postfix and not Sendmail. http://wanderingbarque.com/howtos/mailserver/mailserver.html Pete
Philip Hallstrom
2005-Sep-20 18:26 UTC
[Dovecot] signing dovecot certs with own Cert. Auth.
> I'm trying to get apache, sendmail , and dovecot to > use SSL certs signed by my own CA. I've got the apache > certs working fine. However, dovecot ( I haven't even...> converter? Could it be the way that I'm signing the > certificates? > > Any help would be appreciated.I can't help you with dovecot since I've never used it (well not yet), but I've found this to be extremely helpful: Eclectica http://www.eclectica.ca/howto/ssl-cert-howto.php Also, when I setup apache, postfix, uw-imap to use certificates signed by my own CA, I followed suggestions from the mod-ssl faq. I've got things setup so I have a "certs" directory. Once in there I can type "./make.sh hostname" and it will make a certificate for that hostname and sign it. I've also got "./pem.sh hostname" which will convert the certificate into the pem format which is what postfix/uw-imap expect. Anyway, it's nice cause now I never have to think about how it all works anymore.... Here's the scripts: http://www.pjkh.com/~philip/certs/CA.txt Instructions on how to become your own CA. Note I set mine to expire in 10 years so a year from now instead of 1 year by default. http://www.pjkh.com/~philip/certs/make.sh.txt Creates a certificate and then signs it using the sign.sh script. http://www.pjkh.com/~philip/certs/sign.sh.txt straight from Ralf Engelshall except I increased the number of days to 3650. http://www.pjkh.com/~philip/certs/pem.sh.txt Convert the script to pem. Hope this helps...