intermediate certificates

Marcus Schopen lists at localguru.de
Wed Jan 19 15:38:13 EST 2011


Am Mittwoch, den 19.01.2011, 12:53 -0600 schrieb Dan White:
> On 19/01/11 19:07 +0100, Marcus Schopen wrote:
> >Hi,
> >
> >I've to build a new SSL certificate for my cyrus 2.2.13. I'm using a
> >Thawte SSL123 certificate. Since the CAs changed to intermediate
> >certificates, I'd like to be sure to do the right steps for an update
> >and not running into problems with imaps and pop3s clients:
> >
> >1. modify /etc/imapd.conf. Using tls_ca_file for the intermediate
> >certificate file:
> >
> > tls_cert_file: /etc/mail/tls/mx.myserver.de.thawte.crt
> > tls_key_file: /etc/mail/tls/mx.myserver.de.thawte.key
> > tls_ca_file: /etc/ssl/certs/SSL123_CA_Bundle.pem
> > tls_ca_path: /etc/ssl/certs
> 
> We use Digicert here, which uses an intermediate certificate. Our
> configuration is the same:
> 
> tls_cert_file: /etc/ssl/certs/file.crt
> tls_key_file: /etc/ssl/private/file.key
> tls_ca_file: /etc/ssl/certs/DigiCertCA.crt
> tls_ca_path: /etc/ssl/certs
> 
> > I've found a howto on the thawte.nl website
> >
> > http://www.thawte.nl/fr/support/manuals/cyrus/cyrus+imap+server/install
> >+certificate/
> >
> > which puts private key, certification and the intermediate certificate
> >file in one .pem file and uses this combined file for tls_cert_file,
> >tls_key_file and tls_ca_file. Good way?
> 
> We have not had to do that.
> 
> >4. do I have to remove /var/lib/cyrus/tls_sessions.db ?
> 
> I don't think so. We've renewed/reinstalled our certificate a couple of
> times over the years and have not had to do anything but a restart. A
> restart may not even be necessary if both the old and new certificates are
> valid, and your imapd sessions cycle out over time (via timeout, or the -U
> option).

That is an interesting point. I try to avoid a restart as often as I
can. Did you or some else test a change without a restart?

Ciao,
Marcus




More information about the Info-cyrus mailing list