dovecot at lists.killian.com
2015-Feb-16 15:42 UTC
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one file for those programs, that's good to know. On 2015/2/16 07:23, Reindl Harald wrote:> > Am 16.02.2015 um 15:53 schrieb dovecot@lists.killian.com: >> Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: >> >> "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: >> >> Issuing CA cert >> Issuing CA CRL >> Intermediate CA cert >> Intermediate CA CRL >> Root CA cert >> Root CA CRL" > > that is how you can and should build your PEM files for *every* SSL aware software, Apache and Postfix are happy with exactly that format > > i go even so far and include the CDHE and DHE params there which means in case of a recent httpd you can make DHE compatible which most clients even if your RSA certificate is 4096 Bit (read the hint about 2.4.7 or later at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile if you want to know why) > > there is also no need to place that certs below /etc/dovecot at all nor have them readable for anybody but root, we have our wildcard certificate on a unique location synced to all servers offering SSL and again Dovecot, Postfix and Apache are happy to read the PEM root-only PEM files at startup and that's it
Reindl Harald
2015-Feb-16 15:49 UTC
/etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
yu can typically "cat" all the stuff into the same PEM-file and use that file for all related configuration options - since each part has a -----BEGIN and -----END section the chances are hight that the software dont't need to support it explicitly but the TLS layer picks the right thing (that's a very non-technical wording by intention) Am 16.02.2015 um 16:42 schrieb dovecot at lists.killian.com:> Thanks for the note. I had never seen anything in the postfix and apache documentation that the CRLs could be intermingled with the CRTs in the CRT file. The documentation for those programs suggests putting the CRLs in a separate file (e.g. apache SSLCARevocationFile) or doesn't talk about putting CRLs in with the certs (e.g. postfix smtpd_tls_cert_file). If it works to put them all in one file for those programs, that's good to know. > > On 2015/2/16 07:23, Reindl Harald wrote: >> >> Am 16.02.2015 um 15:53 schrieb dovecot at lists.killian.com: >>> Why not /etc/dovecot/private? That's where I put my dovecot certs. Dovecot's needs are a bit different from other software, and so it is unclear whether the files won't be unique to it. For example, I haven't seen the following before I read it on the Dovecot wiki: >>> >>> "The CA file should contain the certificate(s) followed by the matching CRL(s). Note that the CRLs are required to exist. For a multi-level CA place the certificates in this order: >>> >>> Issuing CA cert >>> Issuing CA CRL >>> Intermediate CA cert >>> Intermediate CA CRL >>> Root CA cert >>> Root CA CRL" >> >> that is how you can and should build your PEM files for *every* SSL aware software, Apache and Postfix are happy with exactly that format >> >> i go even so far and include the CDHE and DHE params there which means in case of a recent httpd you can make DHE compatible which most clients even if your RSA certificate is 4096 Bit (read the hint about 2.4.7 or later at http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile if you want to know why) >> >> there is also no need to place that certs below /etc/dovecot at all nor have them readable for anybody but root, we have our wildcard certificate on a unique location synced to all servers offering SSL and again Dovecot, Postfix and Apache are happy to read the PEM root-only PEM files at startup and that's it-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://dovecot.org/pipermail/dovecot/attachments/20150216/3198e5d4/attachment.sig>
Reasonably Related Threads
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism
- /etc/ssl/certs/dovecot.pem erased by OpenSuse's update mechanism