SSL/TLS question

Craig Ringer craig at
Tue Jan 13 01:25:03 EST 2004

Wil Cooley wrote:
> [Sorry this is a repost from a month ago; I didn't get an answer then,
> but maybe my timing is better now.]
> For my web server, I use a certificate from Comodo which is very
> inexpensive by comparison with Thawte/Verisign certs, but it requires
> installation of an intermediary key for most browsers to be happy with
> it.  It's not difficult with Apache and mod_ssl; I'm wondering if it
> will work with Cyrus, perhaps using the 'tls_ca_file'?  The docs are a
> little sparse (and Comodo doesn't provide explicit instructions like it
> does for mod_ssl) and my understanding of SSL/TLS is a bit limited.

I expect that'd do it; you'll still need to install the CA certificate 
in browsers, though. I have a similar setup, but with a CA cert 
generated in-house.

My imapd.conf contains:

tls_ca_file: /var/imap/ssl/ca.pem
tls_cert_file: /var/imap/ssl/
tls_key_file: /var/imap/ssl/

- the filenames are somewhat self explanatory (though your key and cert 
may be combined into one file).

I then install the ca cert into clients who need access. To be specific, 
I generate a client SSL certificate for them that also contains an 
embedded version of our CA cert. That way they import the CA cert when 
they install the client cert; I then just get them to authorize the CA 
cert for identifying remote hosts.

Craig Ringer

More information about the Info-cyrus mailing list