dovecot - Sep 2008 - client certs with godaddy ssl cert

I've read the client ssl cert section in the wiki and it talks about using a
self signed cert, if I am using a commercial cert, in this case godaddy, how 
do I implement a self signed cert for the client side and have dovecot make 
use of this?  I know the mechanics of setting up the self signed ca, the 
question is more what configuration changes do I need to make in dovecot to 
handle both godaddy and the self signed ca functionality?

Thanks
-- 
Harondel J. Sibble 
Sibble Computer Consulting
Creating solutions for the small business and home computer user.
help at pdscc.com (use pgp keyid 0x3AD5C11D) http://www.pdscc.com
(604) 739-3709 (voice/fax)      (604) 686-2253 (pager)

Harondel J. Sibble wrote:
> I've read the client ssl cert section in the wiki and it talks about
using a
> self signed cert, if I am using a commercial cert, in this case godaddy,
how
> do I implement a self signed cert for the client side and have dovecot make
> use of this?  I know the mechanics of setting up the self signed ca, the 
> question is more what configuration changes do I need to make in dovecot to
> handle both godaddy and the self signed ca functionality?
> 
if you have a commercial cert, you don't need a self signed cert. self 
signed certs are for people who don't want to get a cert signed by a 3d 
party (commercial or other). For email, you generally don't need a 
commercial certificate because your users know you and you know them, 
and because users don't connect to thousand imap servers.

On Saturday 27 September 2008 03:43:19 Harondel J. Sibble
wrote:
> I've read the client ssl cert section in the wiki and it talks about
using
> a self signed cert, if I am using a commercial cert, in this case godaddy,
> how do I implement a self signed cert for the client side and have dovecot
> make use of this?  I know the mechanics of setting up the self signed ca,
> the question is more what configuration changes do I need to make in
> dovecot to handle both godaddy and the self signed ca functionality?
If I understand you correctly, you're using the godaddy certificate as the 
server certificate only. This is fine, AFAIK the server certificate can be 
completely independent from any client certificate.

What is important: you can not self-sign each client certificate, but you need 
a CA with a self-signed root instead. I think you understand that already, 
just noting that for completeness.

Then you simply configure Dovecot as described in 
http://wiki.dovecot.org/SSL/DovecotConfiguration

In short: Put your godaddy SSl certificate, and then the complete hierachy of 
godaddy CA certificates (I don't know how many levels they have) in 
(e.g.) /etc/ssl/dovecot.pem, and set ssl_cert_file=/etc/ssl/dovecot.pem. 
Don't forget to set the path to your private key or add it to the beginning 
of your cert file. This handles SSL/TLS for the server.

Then create the CA root certificate, and any sub-CA certificates if you want 
to implement a multi-level CA. For each hierarchy level generate a CRL 
(Certificate Revocation List). Then, from the most specific sub-CA down to 
the root, concatenate each CA cert and the corresponding CRL to one file, and 
set this file as  ssl_ca_file. The order is important, and needs to be (if 
existing):
 * Issuing CA cert
 * issuing CA crl
 * Intermediate CA cert
 * intermediate CA crl
 * Root CA cert
 * Root CA crl
Then configure client cert verification as described in the last section of 
above mentioned wiki page.

To sum it up:
ssl_cert_file is responsible for server side TLS/SSL and needs to contain the 
complete verification path for the server certificate. It has no influence on 
client certs.
ssl_ca_file is used for client cert verification only, and does not need to 
cover the server certificate. 

So you can use commercial server cert and the self-managed client certs. You 
might want to consider though: your clients need to import the client cert 
you issue, and your root CA certificate as trusted cert. If *all your SSL/TLS 
clients* also get a client cert, you can also issue the server cert yourself, 
a commercial cert provides no extra value in that case.
> Thanks
Regards
Rainer Frey
-- 
Software Developer
------------------------------------------------------
Inxmail GmbH
rainer.frey at inxmail.de, www.inxmail.de

Handelsregister Freiburg, HRB 5870
Ust.-ID: DE198371679
Gesch?ftsleitung: Martin Bucher, Peter Ziras