intermediate certificates

[Dan White]

On 19/01/11 19:07 +0100, Marcus Schopen wrote:
>Hi,
>
>I've to build a new SSL certificate for my cyrus 2.2.13. I'm using a
>Thawte SSL123 certificate. Since the CAs changed to intermediate
>certificates, I'd like to be sure to do the right steps for an update
>and not running into problems with imaps and pop3s clients:
>
>1. modify /etc/imapd.conf. Using tls_ca_file for the intermediate
>certificate file:
>
> tls_cert_file: /etc/mail/tls/mx.myserver.de.thawte.crt
> tls_key_file: /etc/mail/tls/mx.myserver.de.thawte.key
> tls_ca_file: /etc/ssl/certs/SSL123_CA_Bundle.pem
> tls_ca_path: /etc/ssl/certs

We use Digicert here, which uses an intermediate certificate. Our
configuration is the same:

tls_cert_file: /etc/ssl/certs/file.crt
tls_key_file: /etc/ssl/private/file.key
tls_ca_file: /etc/ssl/certs/DigiCertCA.crt
tls_ca_path: /etc/ssl/certs

> I've found a howto on the thawte.nl website
>
> http://www.thawte.nl/fr/support/manuals/cyrus/cyrus+imap+server/install
>+certificate/
>
> which puts private key, certification and the intermediate certificate
>file in one .pem file and uses this combined file for tls_cert_file,
>tls_key_file and tls_ca_file. Good way?

We have not had to do that.

>4. do I have to remove /var/lib/cyrus/tls_sessions.db ?

I don't think so. We've renewed/reinstalled our certificate a couple of
times over the years and have not had to do anything but a restart. A
restart may not even be necessary if both the old and new certificates are
valid, and your imapd sessions cycle out over time (via timeout, or the -U
option).

-- 
Dan White