SSL/TLS question
Craig Ringer
craig at postnewspapers.com.au
Tue Jan 13 01:25:03 EST 2004
Wil Cooley wrote:
> [Sorry this is a repost from a month ago; I didn't get an answer then,
> but maybe my timing is better now.]
>
> For my web server, I use a certificate from Comodo which is very
> inexpensive by comparison with Thawte/Verisign certs, but it requires
> installation of an intermediary key for most browsers to be happy with
> it. It's not difficult with Apache and mod_ssl; I'm wondering if it
> will work with Cyrus, perhaps using the 'tls_ca_file'? The docs are a
> little sparse (and Comodo doesn't provide explicit instructions like it
> does for mod_ssl) and my understanding of SSL/TLS is a bit limited.
I expect that'd do it; you'll still need to install the CA certificate
in browsers, though. I have a similar setup, but with a CA cert
generated in-house.
My imapd.conf contains:
tls_ca_file: /var/imap/ssl/ca.pem
tls_cert_file: /var/imap/ssl/mail.postnewspapers.com.au_cert.pem
tls_key_file: /var/imap/ssl/mail.postnewspapers.com.au_key.pem
- the filenames are somewhat self explanatory (though your key and cert
may be combined into one file).
I then install the ca cert into clients who need access. To be specific,
I generate a client SSL certificate for them that also contains an
embedded version of our CA cert. That way they import the CA cert when
they install the client cert; I then just get them to authorize the CA
cert for identifying remote hosts.
Craig Ringer
More information about the Info-cyrus
mailing list