confusion about setting up certificates
Jim Miller
jimm at simutronics.com
Mon Mar 21 11:00:55 EST 2005
> > I would greatly appreciate any suggestions.
> >
> > Here's the process I followed to setup my certificates -- I didn't
> > do -nodes:
> > openssl req -x509 -newkey rsa -out cacert.pem -outform PEM -days 1825
> > openssl req -newkey rsa:1024 -keyout tempkey.pem -keyform PEM \
> > -out tempreq.pem -outform PEM
> > openssl rsa < tempkey.pem > cyrus_key.pem
> > openssl ca -in tempreq.pem -out cyrus_crt.pem
> >
> > cat cyrus_key.pem cyrus_crt.pem cacert.pem > /var/lib/cyrus/cyrus.pem
> >
> > Set this in imapd.conf
> > tls_ca_file: /var/lib/cyrus/cyrus.pem
> > tls_cert_file: /var/lib/cyrus/cyrus.pem
> > tls_key_file: /var/lib/cyrus/cyrus.pem
> >
> >
> > I then distribute the cacert.pem as mailserver.crt and users
> import it into
> > IE/Thunderbird w/out problem.
> >
> > Next I created a .p12 file from the cyrus_crt.pem for import into
> > IE/Thunderbird again w/out problems. Here's the process that I use to
> > generate it.
> > openssl pkcs12 -export -in cyrus_crt.pem -inkey cyrus_key.pem \
> > -name "result of - openssl x509 -noout -in cyrus_crt.pem
> -subject | sed -e
> > 's;.*CN=;;' =-e 's;/Em.*;;'" \
> > -cname "result of - openssl x509 -noout -n cacert.pem -subject | sed -e
> > 's;.*CN=;;' -e 's;Em.*;;'" \
> > -out mailserver.p12
> >
> -----
> not arguing with anything that you've done but this is how I've gone
> about it...
>
> openssl genrsa -des3 -out ca.key 2048
> openssl req -config /usr/share/ssl/openssl.cnf -new -x509 \
> -days 3650 -key ca.key -out ca.cert
> openssl req -config /usr/share/ssl/openssl.cnf -new -x509 -nodes \
> -out /etc/ssl/cyrus-global.pem -keyout /etc/ssl/cyrus-global.pem \
> -days 3650
> openssl gendh 512 >> /etc/ssl/cyrus-global.pem
> openssl x509 -in /etc/ssl/cyrus-global.pem -out /etc/ssl/cacert.crt
>
> Then I copy cacert.crt to a web server and let users 'INSTALL
> CERTIFICATE' from this file (cacert.crt).
>
> and then in imapd.conf
> tls_cert_file: /etc/ssl/cyrus-global.pem
> tls_key_file: /etc/ssl/cyrus-global.pem
> tls_ca_file: /etc/ssl/ca.cert
>
> I haven't a clue really what I am doing but it seems to work with the
> only problem is that entries in subjectAltName don't seem to work for
> Outlook clients. I probably need to generate specific certs for each cn
> but haven't gotten around to that yet. YMMV
>
> ps - I used this info...
> <http://www.gtlib.cc.gatech.edu/pub/linux/docs/HOWTO/SSL-Certificates-
> HOWTO>
>
Sorry for not responding sooner, I've been out of the office for a few days.
I appreciate your input Craig. Are you saying you are able to use Outlook
(OE, Outlook2000, Outlook 2003) with tls_require_certs: true and the
certificates you're using?
What are the implications of the tls_require_certs?
I must say I'm rather confused as to why Thunderbird has no problems and
Outlook does.
The problem seems to lie at the Server-to-Client handshake
4 8 0.3798 (0.0004) S>C Alert
level fatal
value handshake_failure
---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus
mailing list