search for: easyrsa

...till miss the gssapi module for dovecot. Am 03.07.2016 um 19:42 schrieb Mark Foley: > Achim, > > This is my most recent effort. If I cannot make progress from here I'm going to give this idea a rest. > > I used easy-rsa to create a cert. Files are: > > /etc/ssl/certs/OHPRS/easyrsa/ca.crt > /etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req > /etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req > /etc/ssl/certs/OHPRS/easyrsa/private/ca.key > /etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key > /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt > > $ openssl x509 -text -in /etc/...

Achim, This is my most recent effort. If I cannot make progress from here I'm going to give this idea a rest. I used easy-rsa to create a cert. Files are: /etc/ssl/certs/OHPRS/easyrsa/ca.crt /etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req /etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req /etc/ssl/certs/OHPRS/easyrsa/private/ca.key /etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt $ openssl x509 -text -in /etc/ssl/certs/OHPRS/easyrsa/issued/dov...

...g this message directly to you to spare the sambalist from my certificate trials. > I'm hoping you'll still hang in there a bit longer, though I'm close to giving up on this > whole thing myself. > > I used easy-rsa to create a cert. Files are: > > /etc/ssl/certs/OHPRS/easyrsa/ca.crt > /etc/ssl/certs/OHPRS/easyrsa/reqs/MAIL.req > /etc/ssl/certs/OHPRS/easyrsa/reqs/dovecot.req > /etc/ssl/certs/OHPRS/easyrsa/private/ca.key > /etc/ssl/certs/OHPRS/easyrsa/private/MAIL.key > /etc/ssl/certs/OHPRS/easyrsa/issued/dovecot.crt > > $ openssl x509 -text -in /etc/...

OK, let me go through exactly what you did: you: > Here's the test (I must run mutt not telnet like i mentioned earlier to > get the imap tickets). > > root at server:~# kinit achim > Password for achim at DOMAIN.LOCAL: > [I enter my password] As root on AD/DC mail.hprs.local: me: $ kinit mark Password for mark at HPRS.LOCAL: [I enter my password] you: >

...t server that uses TLS will create some certs, or use the distro default snake-oil certs. However in order to get secure communication, you need to have a common ca-cert on all your machines (servers and clients) and generate a cert and key pair for each server. Openssl can do it, but I prefer EasyRSA, which uses openssl under the hood. - Kees. > > Thanks > > On Wed, Oct 25, 2023 at 8:08?AM Kees van Vloten via samba < > samba at lists.samba.org> wrote: > >> Op 25-10-2023 om 16:45 schreef Alex via samba: >>> Hi! >>> >>> Is there a recomme...

...sary these days, but >I keep it around because it doesn't hurt anything. > >The important bit is the extendedKeyUsage line; I'm pretty sure that >an OpenVPN server needs the serverAuth extension. For instance, here >is the X509 extensions configuration for a server used by EasyRSA: > > basicConstraints = CA:FALSE > subjectKeyIdentifier = hash > authorityKeyIdentifier = keyid,issuer:always > extendedKeyUsage = serverAuth,clientAuth > keyUsage = digitalSignature,keyEncipherment > >You can ask openssl to tell you the purpose of a certificate: &...

Hi I am trying to authenticate my mail server with samba ad. The only problem is that I don?t get it working. root at dna:/data/CA/EasyRSA-v3.0.6# ldapsearch -x -h gaia.rompen.lokaal -D 'vmail' -W -b 'cn=users,dc=rompen,dc=lokaal' Enter LDAP Password: ldap_bind: Strong(er) authentication required (8) additional info: BindSimple: Transport encryption required. I can not read the ldap database. I think it is a certifi...

> > >Folks > >I would like to have my windows 7 laptop communicate with my home >server via a VPN, in such a way that it appears to be "inside" my >home network. It should not only let me appear to be at home for >any external query, but also let me access my computers inside my home. > >I already have this working using M$'s PPTP using my home

...ctive may be unnecessary these days, but I keep it around because it doesn't hurt anything. The important bit is the extendedKeyUsage line; I'm pretty sure that an OpenVPN server needs the serverAuth extension. For instance, here is the X509 extensions configuration for a server used by EasyRSA: basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth,clientAuth keyUsage = digitalSignature,keyEncipherment You can ask openssl to tell you the purpose of a certificate: [bash]$ openssl x509 -noout -pur...

And will Samba regenerate it's own server certs from that CA, or do I need to externally generate & renew them with openssl? Does anything else need to be done before or after replacing the certs in Samba? This won't break server/domain trust with domain joined workstations? Thanks On Wed, Oct 25, 2023 at 8:08?AM Kees van Vloten via samba < samba at lists.samba.org> wrote:

Hi! What's the way to have a domain-based certificate authority so that various TLS services can be enabled within a domain, including LDAPS and other similar services? The whole CA thing is already complex enough, microsoft has tools to do all this on their domain management collection (Active Directory Certificate Services). What's the way to do all this in/with samba- based AD?

...ep >> it around because it doesn't hurt anything. >> >> The important bit is the extendedKeyUsage line; I'm pretty sure that an >> OpenVPN server needs the serverAuth extension. For instance, here is the >> X509 extensions configuration for a server used by EasyRSA: >> >> basicConstraints = CA:FALSE >> subjectKeyIdentifier = hash >> authorityKeyIdentifier = keyid,issuer:always >> extendedKeyUsage = serverAuth,clientAuth >> keyUsage = digitalSignature,keyEncipherment >> >> You can ask openssl to t...

When writing the Internet-Draft (I-D) "UPS Management Protocol" [1], I was required by IETF rules to include a "Security Considerations" chapter. This meant saying clearly that the SSL provisions in NUT for secure communication are now outdated and deprecated. The IETF now insists on secure communication and this makes NUT's situation an issue for the project. In

I followed the instructions here https://wiki.centos.org/HowTos/Https Checking port 80 I get the file... curl http://localhost/file.html <HTML> <FORM> Working </FORM> </HTML> Checking port 443 I get and error curl https://localhost/file.html curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: