How to make cerificate for client installation?
Cristian Mitrana
cristian.mitrana at online.ie
Mon Oct 10 05:53:42 EDT 2005
* lkolchin at univ.haifa.ac.il <lkolchin at univ.haifa.ac.il> [10-10-05 10:46]:
> Hello All,
>
> I'm using SMTP-AUTH with TLS wrapper with Self Signed Certificate on my system.
>
> I want users to be able to install certificate on their computer (on OE or another mail-client) and not press "Yes" on the nag screen on every login.
> How can I do it so client certificate only contain the public portion of the certificate (so it is secure to publish this certificate on the net)?
This depends on the client used and it's highly specific. And has
nothing to do with cyrus.
> Background Info:
> This is how I've created certificates:
> # openssl req -new -x509 -sha1 -extensions v3_ca -nodes -days 999 -out cert.pem
> # ls
> . .. cert.pem privkey.pem
> # cat privkey.pem cert.pem > /etc/ssl/certs/cert.pem
> # mv -f privkey.pem /etc/ssl/certs/skey.pem
> # chown cyrus:mail /etc/ssl/certs/cert.pem
> # chmod 600 /etc/ssl/certs/cert.pem
It is enough to provide the client with the certificate and import it
into it's trust database (as I said, depends on the application).
Depending on the application you might want to convert it to DER
(with openssl x509 -in ... -out cert.der -outform der ).
The private part is the privkey.pem and that you should keep safe.
For windows (OE) you have to use the mmc program, TB has a special
settings tab which lets you import in PEM format, I don't know about
other clients on windows.
mitu
More information about the Info-cyrus
mailing list