Le Tue, Feb 15, 2005 at 11:38:43AM +0100, Christian Storch a écrit : I use this config with cyrus because it's simple with many clients to use SSL. > Sorry, you're absolute right: No signing - no cert, also for root. > Perhaps it was to late for me last night. ;) My certificates work perfectly with apache. My ca was generated with attach script. And my cyrus cert with do script. > Nicolas: How you've created your certs? > The commands with arguments and version of openssl, libssl would be > interesting. > Perhaps the lines with tls_... within your imapd.conf, too. tls_cert_file: /etc/cyrus/imap.winch.my.crt tls_key_file: /etc/cyrus/imap.winch.my.key tls_ca_path: /etc/ssl/certs tls_session_timeout: 0 tls_cipher_list: TLSv1:SSLv3:SSLv2:!NULL:!EXPORT:!DES:!LOW:@STRENGTH largo:~# cat /etc/cyrus/imap.winch.my.crt -----BEGIN CERTIFICATE----- fqsdfqsdf[...]qsfqsdf -----END CERTIFICATE----- largo:~# cat /etc/cyrus/imap.winch.my.key -----BEGIN RSA PRIVATE KEY----- sdfgsdfg[...]qszedsf -----END RSA PRIVATE KEY----- largo:~# ls /etc/ssl/certs/ 0481cb65.0 052e396b.0 06d75f4b.0 [...] signet_rootca_pem.pem signet_tsa1_pem.pem spi-ca.pem winch-ca.pem largo:~# cat /etc/ssl/certs/winch-ca.pem -----BEGIN CERTIFICATE----- jhzertkjzert[...]tahlkhjdf -----END CERTIFICATE----- Thanks. -- Nicolas Ledez
Attachment:
new-root-ca.sh
Description: Bourne shell script
#!/bin/sh host=imap.winch.my if [ ! -f $host.key ]; then openssl genrsa -out $host.key 1024 fi if [ ! -f $host.csr ]; then openssl req -new -config $host.conf -key $host.key -out $host.csr fi if [ ! -f $host.crt ]; then openssl ca -config $host.conf -in $host.csr -out $host.crt if [ $? != 0 ]; then echo Error in : echo openssl ca -config $host.conf -in $host.csr -out $host.crt exit 1 fi else mv $host.crt $host.crt.0 openssl x509 -req -in $host.csr -CA ../ca.crt -days 365 -CAkey ../ca.key -CAserial ../ca.db.serial -out $host.crt -extfile $host.conf -extensions v3_req if [ $? != 0 ]; then echo Error in : echo openssl x509 -req -in $host.csr -CA ../ca.crt -days 365 -CAkey ../ca.key -CAserial ../ca.db.serial -out $host.crt -extfile $host.conf -extensions v3_req exit 1 fi fi if [ -f $host.pem ]; then mv $host.pem $host.pem.0 fi cat $host.key $host.crt > $host.pem chmod 400 $host.csr $host.crt $host.key $host.pem openssl x509 -noout -text -in $host.crt
[ req ] default_bits = 1024 distinguished_name = req_distinguished_name string_mask = nombstr req_extensions = v3_req prompt = no [ req_distinguished_name ] C = MY ST = France L = Chateaubourg O = Winch OU = Secure Imap Server CN = imap.winch.my emailAddress = admin@les-ledez.com [ v3_req ] nsCertType = server basicConstraints = critical,CA:false [ ca ] default_ca = default_CA [ default_CA ] dir = .. new_certs_dir = $dir/ca.db.certs database = $dir/ca.db.index serial = $dir/ca.db.serial certificate = $dir/ca.crt private_key = $dir/ca.key default_days = 365 default_crl_days = 30 default_md = md5 preserve = no x509_extensions = server_cert policy = policy_anything [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional