intermediate certificates

Dan White dwhite at
Wed Jan 19 13:53:21 EST 2011

On 19/01/11 19:07 +0100, Marcus Schopen wrote:
>I've to build a new SSL certificate for my cyrus 2.2.13. I'm using a
>Thawte SSL123 certificate. Since the CAs changed to intermediate
>certificates, I'd like to be sure to do the right steps for an update
>and not running into problems with imaps and pop3s clients:
>1. modify /etc/imapd.conf. Using tls_ca_file for the intermediate
>certificate file:
> tls_cert_file: /etc/mail/tls/
> tls_key_file: /etc/mail/tls/
> tls_ca_file: /etc/ssl/certs/SSL123_CA_Bundle.pem
> tls_ca_path: /etc/ssl/certs

We use Digicert here, which uses an intermediate certificate. Our
configuration is the same:

tls_cert_file: /etc/ssl/certs/file.crt
tls_key_file: /etc/ssl/private/file.key
tls_ca_file: /etc/ssl/certs/DigiCertCA.crt
tls_ca_path: /etc/ssl/certs

> I've found a howto on the website
> which puts private key, certification and the intermediate certificate
>file in one .pem file and uses this combined file for tls_cert_file,
>tls_key_file and tls_ca_file. Good way?

We have not had to do that.

>4. do I have to remove /var/lib/cyrus/tls_sessions.db ?

I don't think so. We've renewed/reinstalled our certificate a couple of
times over the years and have not had to do anything but a restart. A
restart may not even be necessary if both the old and new certificates are
valid, and your imapd sessions cycle out over time (via timeout, or the -U

Dan White

More information about the Info-cyrus mailing list