Please explain: Creating the TLS/SSL Certificate

Patrick Ben Koetter p at state-of-mind.de
Fri Aug 13 21:42:53 EDT 2004 

* Jacob Friis Larsen <jfl at list.idg.dk> [040811 23:23]:
> Could someone explain what this does?
> I found it at 
> http://www.delouw.ch/linux/Postfix-Cyrus-Web-cyradm-HOWTO/html/cyrus-config.html
> 
> Does it create a self signed certificate?

yupp

> Is there an easier way on Debian?

Probably not. Complicated as it may look it is as easy as it can get.

> 
> >*Creating the TLS/SSL Certificate*
> >
> >If you want to enable Cyrus' TLS/SSL facilities, you have to create a
> >certificate first. This requires an OpenSSL installation
> >
> >openssl req -new -nodes -out req.pem -keyout key.pem  

This creates your private key.

> >openssl rsa -in key.pem -out new.key.pem
> >openssl x509 -in req.pem -out ca-cert -req \
> >-signkey new.key.pem -days 999 

This is where you as private CA sign the private key and make it a
public certificate (new.key.pem)


> >mkdir /var/imap

you create a separate dir for your certs and the key.

> >cp new.key.pem /var/imap/server.pem
> >rm new.key.pem

You copy the server cert to it's destination.

> >cat ca-cert >> /var/imap/server.pem

You add your ca-cert to the servers certificate and get a kind of
certificate root store. It holds your server certificate and the CA cert
to proof its validity. The IMAP server must be able to hand both over to
the mail client, when it starts TLS.

> >chown cyrus:mail /var/imap/server.pem
> >chmod 600 /var/imap/server.pem # Your key should be protected

Those two commands are there to protect your certs. Nobody but your
server should be able to read them.

> >echo tls_ca_file: /var/imap/server.pem >> /etc/imapd.conf
> >echo tls_cert_file: /var/imap/server.pem >> /etc/imapd.conf
> >echo tls_key_file: /var/imap/server.pem >> /etc/imapd.conf

This adds the relevant configuration parameters and values to
/etc/imapd.conf. The next step I guess would be to restart the server to
make it notice the changes.

There's a script that comes with OpenSSL that's calles CA, CA.sh or
CA.pl. They all do the same - assist you in creating a CA, keys and
certificates. However the default setting, somehow hardwired into the
script code IIRC, requires you to provide a password when you create
your servers private key. You must not do that, otherwise you will
always have to enter the password anytime your server needs to be
restarted - a nice little way to create your own DOS ;)

HTH,

p at rick
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html

More information about the Info-cyrus mailing list